Articles in this section

See more
Self help
FAQ
["FAQ"]

Geneos - How to use the default CA bundle store for HTTPS server verification for Ubuntu and SLES platforms

Avatar
ITRS Support
  • Updated
Follow

Related to:

HTTPS server verification.

Problem

  • Certain features of Netprobe and Gateway may be configured to use HTTPS server verification. However, in Ubuntu and SLES platforms, you may encounter problems if you use the default CA bundle store of the machine for HTTPS server verification. If you encounter an error message similar to the following, you'll need to take additional steps to use the default CA bundle store.

    • "error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none"
    • "Could not load CA bundle file, missing or wrong format : ''"

Possible Cause(s)

  • On Linux, the Netprobe and the Gateway search for the default CA bundle store at /etc/pki/tls/certs/ca-bundle.crt. However, in Ubuntu and SLES platforms, the default CA bundle store may not be located at this path.

Possible Solution(s)

  • You can either specify the actual path of the default CA bundle store or create a symbolic link at /etc/pki/tls/certs/ca-bundle.crt.
    • For Ubuntu:
      The default CA bundle is at /etc/ssl/certs/ca-certificates.crt
    • For SLES:
      The default CA bundle is at /var/lib/ca-certificates/ca-bundle.pem
  • To specify the actual path of the default CA bundle store, set the corresponding GSE setting or the command-line option, depending on the feature that's using HTTPS server verification.
    • ITRS Analytics Data Access:
      In GSE, set "Root certificates" under "Gateway ITRS Analytics Connection".
    • Remote Includes:
      In GSE, set "CA Bundle" in the advanced settings of the include file or the include group.
    • External Passwords via Hashicorp Vault:
      In GSE, set "Server CA certificate" under "Operating environment".
    • Specifying Netprobe setup file as URL:
      When running Netprobe, pass the path as an argument to the "-setup-server-verify" command-line option.
    • WEB-MON Plug-in"
      In GSE, set "CA Bundle" in the basic settings of the WEB-MON sampler.

  • To create a symbolic link to the actual path of the default CA bundle store, you'll need to have elevated privileges and run the following:

sudo mkdir -p /etc/pki/tls/certs
sudo ln -sf <actual_path_of_default_bundle_store> /etc/pki/tls/certs/ca-bundle.crt

 

Related Articles

The above steps are also included in the official Geneos documentation.

Related articles

Comments

0 comments

Please sign in to leave a comment.