Menu

#4279 https SSL certificate monitor fails "uninstalled" on 1.64

Other
closed-fixed
nobody
https monitor (1)
5
2013-08-16
2013-08-15
Richard Farthing
No

Monitor 'SSL Certificate' has detected that the service is uninstalled at 15/Aug/2013 02:00
- immediately after install of 1.64.

  • This is a monitor for a https URL.
    A similar monitor for a certificate file is however still OK

All of the following Perl modules recommended by Webmin are installed : Authen::Libwrap Authen::PAM DBD::mysql DBI IO::Pty Net::LDAP Net::SSLeay Sys::Syslog

Discussion

  • Jamie Cameron

    Jamie Cameron - 2013-08-15

    This could happen if the openssl command cannot connect to the system you are monitoring the SSL cert for. Check that your webmin box is able to connect to port 443 on the remote webserver.

     

  • Richard Farthing

    Richard Farthing - 2013-08-15

    Hi,
    It's a bit weird because it says "uninstalled" not "down".
    I tried https://www.hsbc.co.uk which obviously has a valid certificate - and that fails too. But a local check via certificate file on the Apache server is OK.
    The server definitely can access all sites - it's a network Squid proxy too. Anyway the server I'm checking is local to the machine, I want to check via HTTPS not cert file
    I also did the module update (Updating module apache to version 1.642)

    Suggests to me maybe a missing perl module - is there a new dependency?

     

  • Jamie Cameron

    Jamie Cameron - 2013-08-15

    Webmin uses the "uninstalled" status to indicate that it couldn't check if the cert was valid or not due to some underlying issue (such as inability to connect to the remote server).

    Does your system have direct access to the remote webserver? Webmin won't use a proxy in this case.

     

  • Richard Farthing

    Richard Farthing - 2013-08-15

    Yes, it has direct access to the remote server and the local one (same result for both). I checked logs - nothing stands out - can I turn on more detailed logging? Thanks

     

  • Jamie Cameron

    Jamie Cameron - 2013-08-15

    I'd suggest SSHing into the system and running the same openssl command Webmin does, to see if it works or not. Something like :

    openssl s_client -host www.hsbc.co.uk -servername www.hsbc.co.uk -port 443

     

  • Richard Farthing

    Richard Farthing - 2013-08-15

    My openssl is OpenSSL 0.9.8g
    The command that works seems to be
    openssl s_client -connect www.hsbc.co.uk:443
    This returns the response below.
    My local machine (the one I want to monitor) provides something similar

    CONNECTED(00000003)
    depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    verify error:num=20:unable to get local issuer certificate
    verify return:0

    Certificate chain
    0 s:/1.3.6.1.4.1.311.60.2.1.3=GB/2.5.4.15=Private Organization/serialNumber=00617987/C=GB/postalCode=E14 5HQ/ST=London/L=London/streetAddress=8 Canada Square/O=HSBC Holdings plc/OU=ITNS WGDC/CN=www.hsbc.co.uk
    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
    1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGdDCCBVygAwIBAgIQXA4e6OXDI4aVpMAi8z0sxzANBgkqhkiG9w0BAQUFADCB
    vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
    ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
    YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv
    VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew
    HhcNMTIwMzIzMDAwMDAwWhcNMTQwMzI0MjM1OTU5WjCB6zETMBEGCysGAQQBgjc8
    AgEDEwJHQjEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xETAPBgNVBAUT
    CDAwNjE3OTg3MQswCQYDVQQGEwJHQjEQMA4GA1UEERQHRTE0IDVIUTEPMA0GA1UE
    CBMGTG9uZG9uMQ8wDQYDVQQHFAZMb25kb24xGDAWBgNVBAkUDzggQ2FuYWRhIFNx
    dWFyZTEaMBgGA1UEChQRSFNCQyBIb2xkaW5ncyBwbGMxEjAQBgNVBAsUCUlUTlMg
    V0dEQzEXMBUGA1UEAxQOd3d3LmhzYmMuY28udWswggEiMA0GCSqGSIb3DQEBAQUA
    A4IBDwAwggEKAoIBAQDSgHxob//z1pgKw0I5woE24t1LQZACjtJCEhsNrbncvddU
    5Jtp1Uxh0v30P/0cELnZ1P6fwwGrgKPI06Xv2bPs5pzznM34W1QF49KeJqYViqSi
    RR/Cqj1a8XMx0740Cp5Mu7Fqq+zmsF++hcXP50Ci8hGVhYAB9TStAaadmhVb0bE7
    WaFJh/E662xCbfxJZpQwcbr+Bfs7m/ugWj1okleFKTKrtsM7miPnupZtSMl2e3oH
    na4SoDuHEMb+/RraCY0w2DrsJ2hn86ZQSSCO4ELfNyzdWHX1oNM80L86yEdT9qyH
    3hXoMDTDo3gjsJMbZMH8lbt5kjMBJosdQNbVcbMnAgMBAAGjggI9MIICOTBHBgNV
    HREEQDA+ggpoc2JjLmNvLnVrgg53d3cuaHNiYy5jby51a4IPd3d3MS5oc2JjLmNv
    LnVrgg93d3cyLmhzYmMuY28udWswCQYDVR0TBAIwADAdBgNVHQ4EFgQUV317e8Cu
    8bVd+O99BYY/HUrur5gwCwYDVR0PBAQDAgWgMD4GA1UdHwQ3MDUwM6AxoC+GLWh0
    dHA6Ly9FVkludGwtY3JsLnZlcmlzaWduLmNvbS9FVkludGwyMDA2LmNybDBEBgNV
    HSAEPTA7MDkGC2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
    LnZlcmlzaWduLmNvbS9ycGEwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMC
    BglghkgBhvhCBAEwHwYDVR0jBBgwFoAUTkPIHXbvN1N6T/JYb5TzOOLVvd8wdgYI
    KwYBBQUHAQEEajBoMCsGCCsGAQUFBzABhh9odHRwOi8vRVZJbnRsLW9jc3AudmVy
    aXNpZ24uY29tMDkGCCsGAQUFBzAChi1odHRwOi8vRVZJbnRsLWFpYS52ZXJpc2ln
    bi5jb20vRVZJbnRsMjAwNi5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJ
    aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYk
    aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEB
    BQUAA4IBAQBGPBH+MgQyCz0/mN4hTuzbVXiMM+kYj5bWPGzJpZCW9GNV2vyBSEd3
    BQUulGeTAmsgKPT/6NR84ToATvEz+iZYlKFJpjINtWWH86NVeI4rggG6sgmxnia7
    nEp4gvP5a9rRMjc3ExVqLFYtByZGwuQB5rYQ+8N3JpCgdSo4IsbqXou5R5AWWw0M
    8sznj9zgocelbTjwd42JtQtbGEKgvElESokbJn6K5qDOKTCjOxZ/jfzke1sb+Ggz
    9fqEyP+zkaFSQpM561QJH+gTVHYOjWBS4ThZHpJXEMG8nJVvmdlR9MZZ5wEXtlWw
    bivvtk8qhXPSyfI7Qj85nTzP2gI12Pql
    -----END CERTIFICATE-----
    subject=/1.3.6.1.4.1.311.60.2.1.3=GB/2.5.4.15=Private Organization/serialNumber=00617987/C=GB/postalCode=E14 5HQ/ST=London/L=London/streetAddress=8 Canada Square/O=HSBC Holdings plc/OU=ITNS WGDC/CN=www.hsbc.co.uk
    issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA

    No client certificate CA names sent

    SSL handshake has read 4665 bytes and written 450 bytes

    New, TLSv1/SSLv3, Cipher is RC4-SHA
    Server public key is 2048 bit
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1
    Cipher : RC4-SHA
    Session-ID: 6CC2ABCDE62D943E80349C91E013E275B4F501A96B3AAEB331D75103B2F6B5DE
    Session-ID-ctx:
    Master-Key: 876B99360E6B0D109717FB50A95ED31884FD3408C6DF33D3128CD1002A69324FD457BE2BAE9F7AC4A8182B10D5025354
    Key-Arg : None
    Start Time: 1376606797
    Timeout : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

     

  • Jamie Cameron

    Jamie Cameron - 2013-08-15

    What if you run the command that Webmin uses :

    openssl s_client -host www.hsbc.co.uk -servername www.hsbc.co.uk -port 443

     

  • Richard Farthing

    Richard Farthing - 2013-08-16

    My version of openssl doesn't recognise that command. Perhaps it's changed?
    unknown option -servername
    usage: s_client args

     

  • Jamie Cameron

    Jamie Cameron - 2013-08-16
    • status: open --> closed-fixed
     

  • Jamie Cameron

    Jamie Cameron - 2013-08-16

    Ok, that explains it. The next release of Webmin (which will be out soon) will handle this case properly.

     

Log in to post a comment.