You are not logged in.
Hi,
I'm a newbie to GLPI and the FusionInventory Windows agent, so apologies in advance if this is a stupid question. I searched through the forum and tried all the suggestions, but nothing seems to work, so hopefully someone has a fix for me.
We have GLPI installed on Ubuntu 18.04 with a valid Let's Encrypt SSL certificate. The FusionInventory version is 9.5.0+1.0 running within the latest GLPI which was installed this morning.
The URL to the Fusion plugin is https:// assets.mydomain.com/plugins/fusioninventory/
I have included that path in the Root entity Fusioninventory tab. I have left the defaults in the General setup section of the Fusion plugin with No SSL for agent and the listening port left at 62354. I have opened the port on the server, but when I check whether something's listening on 62354 using:
lsof -i -P -n | grep LISTEN
Nothing is listed.
The error from the FusionInventory log from the Windows PC is:
[Mon Feb 1 14:45:52 2021][info] target server0: server https:// assets.mydomain.com/plugins/fusioninventory/
[Mon Feb 1 14:45:52 2021][info] sending prolog request to server0
[Mon Feb 1 14:45:53 2021][error] [http client] communication error: 500 Can't connect to assets.mydomain.com:443 (Bad file descriptor)
[Mon Feb 1 14:45:53 2021][error] No answer from server at https:// assets.mydomain.com/plugins/fusioninventory/
[Mon Feb 1 14:45:53 2021][info] FusionInventory Agent memory usage: WSS=3100672 PFU=113905664
[Mon Feb 1 14:46:23 2021][info] FusionInventory Agent memory usage: WSS=3186688 PFU=112508928
Please note, I'm allowed to post links, so had to adjust the links in the body of my post with a space.
Can someone point me in the right direction please?
Thanks
Duke
Offline
Hi,
Could you paste your VHOST configuration file here ?
It looks like you Web service could find your document root.
Regards.
Offline
Hi,
Could you paste your VHOST configuration file here ?
It looks like you Web service could find your document root.
Regards.
Hi,
I ended up figuring it out. It will only accept connections as HTTP and not HTTPS. I made and exclusion for /plugins/fusioninventory/
Is there a method of making is connect via HTTPS? I tried applying the SSL-only for agent to Yes, but that made no difference.
Can I just say to all the developers involved in the project, thank you for saving me so much time in saving the manual correlation of machine assets. Thank you, thank you!
Offline
Hi,
SSL-only for agent to Yes is necessary only if you deploy/install agent with a certificat included (options available)
Did you try to modify your Order and Allow ?
Regards
Offline
Hi,
I realize I may be in the wrong place because I am not using the FusionInventory plugin but I am getting the same error messages in the logs as in the original post.
I have set up a GLPI 10.0 server with a public certificate from Let's Encrypt. I have been able to connect dozens of systems using the GLPI Agent 1.2 using https:// to myserver.example.com/front/inventory.php. Yesterday when I went to add additional systems, I saw and downloaded the GLPI Agent ver. 1.3. The agent install completed on the 2 computers without visible errors.
When I try to inventory the computers (a Windows server and a Windows 10 pro) they don't appear on my GLPI server. After several hours of troubleshooting, the main issue seems to be SSL related.
I did test the connectivity to the server. A web browser on the same client was able to open the https:// version of myserver.example.com/ site and was able to display the server's certificate. I also ran a packet sniffer on the server while trying to run the inventory. Here are the results: (The client is on the 74.105.58.98 IP and the server is on the 10.255.235.13 IP)
1 0.000000000 74.105.58.98 → 10.255.235.13 TCP 66 1839 → 443 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
2 0.000057255 10.255.235.13 → 74.105.58.98 TCP 66 443 → 1839 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
3 0.010022483 74.105.58.98 → 10.255.235.13 TCP 56 1839 → 443 [ACK] Seq=1 Ack=1 Win=65536 Len=0
4 0.010040932 74.105.58.98 → 10.255.235.13 TLSv1 571 Client Hello
5 0.010072709 10.255.235.13 → 74.105.58.98 TCP 54 443 → 1839 [ACK] Seq=1 Ack=518 Win=30336 Len=0
6 0.011207051 10.255.235.13 → 74.105.58.98 TLSv1.3 2974 Server Hello, Change Cipher Spec, Application Data
7 0.011222525 10.255.235.13 → 74.105.58.98 TCP 1230 443 → 1839 [PSH, ACK] Seq=2921 Ack=518 Win=30336 Len=1176 [TCP segment of a reassembled PDU]
8 0.013844035 10.255.235.13 → 74.105.58.98 TLSv1.3 583 Application Data, Application Data, Application Data
9 0.017701292 74.105.58.98 → 10.255.235.13 TCP 56 1839 → 443 [ACK] Seq=518 Ack=2921 Win=65536 Len=0
10 0.020045625 74.105.58.98 → 10.255.235.13 TCP 56 1839 → 443 [ACK] Seq=518 Ack=4626 Win=65536 Len=0
11 0.030017577 74.105.58.98 → 10.255.235.13 TLSv1.3 61 Alert (Level: Fatal, Description: Unknown CA)
12 0.030041855 74.105.58.98 → 10.255.235.13 TCP 56 1839 → 443 [RST, ACK] Seq=525 Ack=4626 Win=0 Len=0
As you can see on line 11, the agent on the client seems to be complaining that it doesn't recognize the root CA certificate (or the certificate chain) in use on the server.
I checked the documentation and it looks like the agent is supposed to pull the CA certificates from the Windows certificate store. I pulled up the mmc and accessed the certificate store. I downloaded and installed the certificates from Let's Encrypt, and tested again. Same result. I double checked on the second computer and found the certificate chain was already in the store and didn't need to be imported.
I looked in the documentation to see if there was some other setting I was supposed to change, but didn't see one. Also, not sure why this would have worked for version 1.2 agents but not version 1.3. It is possible that something is different with the 2 computers I was trying to add, but I haven't found anything that would be the source of the problem yet.
Is it possible the version 1.3 agent is not able to access the windows certificate store? Could that be some kind of access control?
Thanks for any help you can provide.
Bill
Offline
my case self-signed certificate for apache with a forced redirection.
- try in /etc/fusioninventory/agent.cfg fill it like this ca-cert-dir = /etc/ssl/certs/
- systemctl restart fusioninventory-agent
- fusioninventory-agent
you'll have no error
therefore you'll access agent in web browser in http "http://localhost:62354/".
IT WORKED FOR ME.
look:
info] target local0: local /tmp
[info] running task Inventory
[info] New inventory from glpi-2023-03-07-20-22-19 for local0
[info] Inventory saved in /tmp/glpi-2023-03-07-20-22-19.ocs
[info] running task Inventory
[info] New inventory from glpi-2023-03-07-20-22-19 for local0
[info] Inventory saved in /tmp/glpi-2023-03-07-20-22-19.ocs
[info] target server0: server https://localhost/glpi/marketplace/fusioninventory/
[info] sending prolog request to server0
[info] running task Inventory
[info] New inventory from glpi-2023-03-07-20-22-19 for server0
[info] running task Inventory
[info] New inventory from glpi-2023-03-07-20-22-19 for server0
Offline