You are not logged in.
- Topics: Active | Unanswered
Announcement
Download last stable version of GLPI - What can you do for GLPI ? : Contribute
Pages: 1
#1 Yesterday 11:35:51
- WebGreg
- Member
- Registered: 2020-02-27
- Posts: 752
Fingerprint - unique or common?
Hi.
From https://glpi-agent.readthedocs.io/en/1. … ation.html
ssl-fingerprint (Available since GLPI Agent v1.3)
The fingerprint to use can be retrieved in agent log by temporarily enabling no-ssl-check option.
Do I need to generate a separate fingerprint for each agent, or is it enough to obtain it once and add it to the configuration of subsequent agents?
Last edited by WebGreg (Yesterday 11:36:21)
--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS
Offline
#2 Yesterday 14:26:23
- gbougard
- Moderator
- From: Montpellier, France
- Registered: 2021-07-21
- Posts: 556
- Website
Re: Fingerprint - unique or common?
Hi WebGreg,
the ssl fingerprint is only unique to your server, so you can get it on one agent and reuse it for all other agents.
It will be valid for any agent until you change the configured SSL server certificate itself.
GLPI-Agent developer from Teclib' and GLPI-Network team
Previously FusionInventory-Agent maintainer
Offline
#3 Yesterday 14:30:17
- WebGreg
- Member
- Registered: 2020-02-27
- Posts: 752
Re: Fingerprint - unique or common?
Hi @gbougard
That's what I suspected, but what surprised me was that each agent I checked had a different fingerprint in the log. And I don't change anything on the server.
Last edited by WebGreg (Yesterday 14:30:38)
--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS
Offline
#4 Yesterday 16:33:13
- gbougard
- Moderator
- From: Montpellier, France
- Registered: 2021-07-21
- Posts: 556
- Website
Re: Fingerprint - unique or common?
Oh, if you have an AV which intercept any request on computers, it can also intercept agent traffic. In that case, the SSL fingerprint is not related to server certificate, but to local AV certificate... And I can imagine it is different on all computers. But then, you can't use that option to authenticate the server certificate.
Try the SSL debugging process explained in the FAQ to help understand: https://faq.teclib.com/02_FAQ/Agent/#ho … -using-ssl
GLPI-Agent developer from Teclib' and GLPI-Network team
Previously FusionInventory-Agent maintainer
Offline
#5 Yesterday 22:00:39
- WebGreg
- Member
- Registered: 2020-02-27
- Posts: 752
Re: Fingerprint - unique or common?
@gbougard That's exactly the point! Thank you :-D
You know you're great, don't you? 
--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS
Offline
#6 Today 16:07:02
- gbougard
- Moderator
- From: Montpellier, France
- Registered: 2021-07-21
- Posts: 556
- Website
Re: Fingerprint - unique or common?
Hi WebGreg,
it would be interesting to know if AV editors provide a way to trust the locally generated AV certificate. Maybe via the Windows Keystore on windows ?
Anyway, if we don't have a way to trust the AV certificate, or you can configure AV to not intercept GLPI-Agent requests or you'll have to use no-ssk-check, or maybe the certificate can be available via an export to be used with ca-cert-file.
GLPI-Agent developer from Teclib' and GLPI-Network team
Previously FusionInventory-Agent maintainer
Offline
Pages: 1