Menu
▾
▴
#2738 wbemcli query results in an error indicating the problem with SSL Certificate
wbemcli query results in an error indicating the problem with the local SSL Certificate.
We are querying a CIMOM which has latest tlsv1_2 mandated, I have Provided the respective certificates in the command line with the query as mentioned below.
[root@rhel63 Pegasus]# wbemcli -noverify -nl ein 'https://root:static1234@10.227.17.11:15989/root/emulex:CIM_SoftwareIdentity' -clientcert /etc/Pegasus/client.pem -clientkey /etc/Pegasus/server.pem
*
* wbemcli: Http Exception: Problem with the local SSL certificate
*
CIMServer Traces shows the below logs,
[root@rhel63 Pegasus]# tail -f /var/lib/Pegasus/cache/trace/cimserver.trc
1410738842s-343312us: Http [24195:140554987706336:HTTPAcceptor.cpp:944]: HTTPAcceptor: SSL_accept() pending
1410738842s-384880us: SSL [24195:140554987706336:TLS.cpp:411]: Shutdown SSL_accept(). Error Code: 5 Error string: error:00000000:lib(0):func(0):reason(0)
1410738842s-384919us: DiscardedData [24195:140554987706336:HTTPConnection.cpp:2115]: HTTPConnection: SSL_accept() failed
1410738885s-829931us: Http [24195:140554987706336:HTTPAcceptor.cpp:944]: HTTPAcceptor: SSL_accept() pending
1410738885s-951851us: SSL [24195:140554987706336:TLS.cpp:411]: Shutdown SSL_accept(). Error Code: 5 Error string: error:00000000:lib(0):func(0):reason(0)
1410738885s-951897us: DiscardedData [24195:140554987706336:HTTPConnection.cpp:2115]: HTTPConnection: SSL_accept() failed
Need to Know whether the input arguments mentioned in the query are correct and sufficient.
Please do let us know if some additional parameters needs to be given/changed along with default parameters
Your cmdline looks basically correct: you do not want to verify the server but you do want the server to verify the client.
I think this just a a basic SSL authentication error, i.e. it cannot establish a trust chain for the client cert since it has no copy of that cert, or some signing CA cert, in it's truststore. Either that, or it is some configuration problem on the OP side.
You should see some error in you CIMOM log, i.e. some SSL alert message. (If it were SFCB you definitely would.) You might be able to see some more detail client-side by setting "export CURLDEBUG=yes" before running wbemcli. This will show you the error seen by curl.
If that does not reveal the problem, test your server using the openssl s_client utility, using your client-side certs. Once you get that working, try again with wbemcli.
You can also refer to the SFCB documentation here, as much of the info is general SSL stuff.
http://sblim.sourceforge.net/wiki/index.php/SfcbSsl
Let me know if you have problems following that.
Looking again... I see the problem. You are testing on a local machine, trying to use OP's own certificates for authentication. You want to use "file.pem" for -clientkey, not "server.pem"
Closing, if no further concerns. NOTABUG