-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Valid let's encrypt certifcate considerated as invalid by streaming client #6529
Comments
Please check @thiagoftsm |
Hi @gaetanfl , I was studying your issue report now, and I would like to ask you more few questions for we fix this problem: 1 - What is the openssl version installed in your Ubuntu 18.04? I saw that the error you are having is a common error with Squid too, and in the squid side at least is common the people to report a problem with "Incomplete Chain". |
Hi thank for taking care of this @thiagoftsm
SSL labs does not support high ports like that but I tested on https://www.immuniweb.com/ssl and it got A- due to lack of tls v1.3 support mostly and no ocsp stappling… nothin related to bad chain
There is only two certificates in my full message, will try to add the last one but looks like the verify openssl method is not using the server recognized roots but a more restricted one |
Adding the root X3 cert in the chain provoked an error 19 in check because of the self signed certificate |
Hi @gaetanfl , We realized a deep analises to find the best way to handle this problem that you are having and we arrive in the conclusion that we can do one of the next two options to fix this:
For both situation, we will create a chain of known Netdata SSL certificates to avoid the error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. Thank you very much to give us this report! |
Thanks for investigating it. I'll let some comment from my operational point of view.
It seems a bit tedious regarding let's encrypt policy of short certificate. It would mean that every time the cert renew, the post-renew hook should deploy the cert on all clients. Might it be possible to just specify the path to the CA signing it like
In this case, it seems that we have to download the certificate over an unencrypted connection, which does not look good.
Thanks, in my opinion, specifying the signing ca cert is the better way to go. Thinking about the issue I got to this idea (didn't test or else, you may yet thought about this): the signing chain is X3 CA -> LE -> my cert. So the cert given by the master is the concatenation of LE CA and my cert. Is the client verifying well thos case of two concatenate certs ? I will make some tests and keep you posted.
Thanks for addressing it |
Thanks to share your point of view with us, today this will be my top priority. |
I mocked the way it connects to ssl in a small C program. By adding those lines I fixed the issue
making it configurable for path and file should solve the issue. |
Hi @gaetanfl , This is the exactly road that we were plainning to use, thanks to confirm! |
Hi @gaetanfl , I created a PR as I said previously for you, I saw that with the code we talked yesterday, it is also possible to enable the use of self-signed certificate without to raise a warning, case you have the possibility, please test the PR to confirm that it is killing the bug. Best Regards! |
I know this is an old issue, however it helped me. I couldn't get streaming connections working using Let's Encrypt certs until I modified the config to set:
I wonder if Netdata should automatically use these paths on Debian? |
Hello @Daniel15 , As you said this looks like a Let's encrypt issue, probably we need to add a new topic to our documentation related to Let's Encrypt certificate. I remember that I also had problems with Let's encrypt certificate on CentOS. @joelhans we need to think something about this. Best regards! |
Bug report summary
A valid let's encrypt certificate is considered as invalid for reason 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY by streaming client even if openssl _sclient return 0 in verify
OS / Environment
ubuntu 18.04
Netdata version (ouput of
netdata -V
)netdata v1.16.0-70-nightly
Component Name
streaming
Steps To Reproduce
Whereas openssl s_client works fine
Expected behavior
[send to tcp:host:port]: established communication - ready to send metrics...
The text was updated successfully, but these errors were encountered: