Fingerprint - unique or common?

WebGreg · 2025-02-20 11:35:51

Hi.

From https://glpi-agent.readthedocs.io/en/1. … ation.html
ssl-fingerprint (Available since GLPI Agent v1.3)
The fingerprint to use can be retrieved in agent log by temporarily enabling no-ssl-check option.

Do I need to generate a separate fingerprint for each agent, or is it enough to obtain it once and add it to the configuration of subsequent agents?

Last edited by WebGreg (2025-02-20 11:36:21)

gbougard · 2025-02-20 14:26:23

Hi WebGreg,

the ssl fingerprint is only unique to your server, so you can get it on one agent and reuse it for all other agents.

It will be valid for any agent until you change the configured SSL server certificate itself.

WebGreg · 2025-02-20 14:30:17

Hi @gbougard

That's what I suspected, but what surprised me was that each agent I checked had a different fingerprint in the log. And I don't change anything on the server.

Last edited by WebGreg (2025-02-20 14:30:38)

gbougard · 2025-02-20 16:33:13

Oh, if you have an AV which intercept any request on computers, it can also intercept agent traffic. In that case, the SSL fingerprint is not related to server certificate, but to local AV certificate... And I can imagine it is different on all computers. But then, you can't use that option to authenticate the server certificate.

Try the SSL debugging process explained in the FAQ to help understand: https://faq.teclib.com/02_FAQ/Agent/#ho … -using-ssl

WebGreg · 2025-02-20 22:00:39

@gbougard That's exactly the point! Thank you :-D

You know you're great, don't you?

gbougard · 2025-02-21 16:07:02

Hi WebGreg,

it would be interesting to know if AV editors provide a way to trust the locally generated AV certificate. Maybe via the Windows Keystore on windows ?

Anyway, if we don't have a way to trust the AV certificate, or you can configure AV to not intercept GLPI-Agent requests or you'll have to use no-ssk-check, or maybe the certificate can be available via an export to be used with ca-cert-file.

WebGreg · 2025-02-23 23:09:52

I have no problem setting trust for the AV certificate - the only problem is, as you rightly pointed out - unique for each workstation installation.

In the AV exception, I added the GLPI address to trusted sites. As a result, it doesn't check SSL for it. At this point, agents see the server's self-signed certificate and I can attach it to the agent installation script or, for example, propagate it with a GPO policy.

Is it possible to set it not to check all pages signed with a self-signed certificate? I think ESET allows this, but I wasn't able to do it quickly. If you want, I can take a closer look at it. However, in the context of GLPI it does not change much - the white list of URL addresses is completely sufficient.

Forum GLPI-Project

Announcement

#1 2025-02-20 11:35:51

Fingerprint - unique or common?

#2 2025-02-20 14:26:23

Re: Fingerprint - unique or common?

#3 2025-02-20 14:30:17

Re: Fingerprint - unique or common?

#4 2025-02-20 16:33:13

Re: Fingerprint - unique or common?

#5 2025-02-20 22:00:39

Re: Fingerprint - unique or common?

#6 2025-02-21 16:07:02

Re: Fingerprint - unique or common?

#7 2025-02-23 23:09:52

Re: Fingerprint - unique or common?

Board footer