Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dev.icinga.com #12201] Improve error messages for failed certificate validation #4386

Closed
icinga-migration opened this issue Jul 21, 2016 · 6 comments

Comments

Projects
None yet
1 participant
@icinga-migration
Copy link
Member

commented Jul 21, 2016

This issue has been migrated from Redmine: https://dev.icinga.com/issues/12201

Created by pef on 2016-07-21 20:04:12 +00:00

Assignee: gbeutner
Status: Resolved (closed on 2016-07-25 07:25:04 +00:00)
Target Version: 2.5.0
Last Update: 2016-08-22 11:55:57 +00:00 (in Redmine)

Backport?: Not yet backported
Include in Changelog: 1

Certificate validation for distributed setups lacks a proper explanation (from OpenSSL). In my case, we've been using SSL certificates with NsCertType = server, which failed the certificate validation as its purpose is not that of a client certificate. While OpenSSL provides these information, Icinga has so far only logged that the certificate is not signed by the CA, which is wrong. So an adjustment might be required.

Attachments

Changesets

2016-07-25 07:22:35 +00:00 by pef 431c110

Improve error reporting for the client certificate check

Until now, client certificates that have failed verification were reported as not being signed by the CA. That is not true for all cases. This patch adds an explanation in the debug log why verification failed.

fixes #12201

2016-07-25 07:23:19 +00:00 by gbeutner be21a5a

Update AUTHORS

refs #12201
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 21, 2016

Updated by pef on 2016-07-21 20:10:17 +00:00

  • File added 0001-Improved-error-reporting-for-the-client-certificate-.patch

Attached patch should solve the problem. Please be gentle, I'm not the coding kind of guy :)

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 25, 2016

Updated by gbeutner on 2016-07-25 07:18:26 +00:00

  • Status changed from New to Assigned
  • Assigned to set to gbeutner
  • Target Version set to 2.5.0
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 25, 2016

Updated by gbeutner on 2016-07-25 07:20:55 +00:00

I'm not really a fan of using separate Log() calls to report information about the same problem. I'll clean up the patch a bit and merge it. :)

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 25, 2016

Updated by gbeutner on 2016-07-25 07:22:56 +00:00

[2016-07-25 09:22:10 +0200] information/ApiListener: New client connection for identity 'test' (certificate validation failed: code 18: self signed certificate)
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 25, 2016

Updated by pef on 2016-07-25 07:25:04 +00:00

  • Status changed from Assigned to Resolved
  • Done % changed from 0 to 100

Applied in changeset 431c110.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 22, 2016

Updated by gbeutner on 2016-08-22 11:55:57 +00:00

  • Subject changed from Better description on failed certificate validation to Improve error messages for failed certificate validation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.