Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[dev.icinga.com #12201] Improve error messages for failed certificate validation #4386

Closed
icinga-migration opened this issue Jul 21, 2016 · 6 comments
Closed

[dev.icinga.com #12201] Improve error messages for failed certificate validation #4386

icinga-migration opened this issue Jul 21, 2016 · 6 comments
Labels
area/distributed Distributed monitoring (master, satellites, clients) enhancement New feature or request
Milestone
2.5.0

Comments

@icinga-migration
Copy link

This issue has been migrated from Redmine: https://dev.icinga.com/issues/12201

Created by pef on 2016-07-21 20:04:12 +00:00

Assignee: gbeutner
Status: Resolved (closed on 2016-07-25 07:25:04 +00:00)
Target Version: 2.5.0
Last Update: 2016-08-22 11:55:57 +00:00 (in Redmine)

Backport?: Not yet backported
Include in Changelog: 1

Certificate validation for distributed setups lacks a proper explanation (from OpenSSL). In my case, we've been using SSL certificates with NsCertType = server, which failed the certificate validation as its purpose is not that of a client certificate. While OpenSSL provides these information, Icinga has so far only logged that the certificate is not signed by the CA, which is wrong. So an adjustment might be required.

Attachments

Changesets

2016-07-25 07:22:35 +00:00 by pef 431c110

Improve error reporting for the client certificate check

Until now, client certificates that have failed verification were reported as not being signed by the CA. That is not true for all cases. This patch adds an explanation in the debug log why verification failed.

fixes #12201

2016-07-25 07:23:19 +00:00 by gbeutner be21a5a

Update AUTHORS

refs #12201
@icinga-migration
Copy link
Author

Updated by pef on 2016-07-21 20:10:17 +00:00

  • File added 0001-Improved-error-reporting-for-the-client-certificate-.patch

Attached patch should solve the problem. Please be gentle, I'm not the coding kind of guy :)

@icinga-migration
Copy link
Author

Updated by gbeutner on 2016-07-25 07:18:26 +00:00

  • Status changed from New to Assigned
  • Assigned to set to gbeutner
  • Target Version set to 2.5.0

@icinga-migration
Copy link
Author

Updated by gbeutner on 2016-07-25 07:20:55 +00:00

I'm not really a fan of using separate Log() calls to report information about the same problem. I'll clean up the patch a bit and merge it. :)

@icinga-migration
Copy link
Author

Updated by gbeutner on 2016-07-25 07:22:56 +00:00

[2016-07-25 09:22:10 +0200] information/ApiListener: New client connection for identity 'test' (certificate validation failed: code 18: self signed certificate)

@icinga-migration
Copy link
Author

Updated by pef on 2016-07-25 07:25:04 +00:00

  • Status changed from Assigned to Resolved
  • Done % changed from 0 to 100

Applied in changeset 431c110.

@icinga-migration
Copy link
Author

Updated by gbeutner on 2016-08-22 11:55:57 +00:00

  • Subject changed from Better description on failed certificate validation to Improve error messages for failed certificate validation

@icinga-migration icinga-migration added enhancement New feature or request area/distributed Distributed monitoring (master, satellites, clients) labels Jan 17, 2017
@icinga-migration icinga-migration added this to the 2.5.0 milestone Jan 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/distributed Distributed monitoring (master, satellites, clients) enhancement New feature or request
Projects
None yet
Milestone
2.5.0
Development

No branches or pull requests
1 participant
@icinga-migration