Some certificates cause errors

[pacija]

Bug reporting acknowledgment

Yes, I read it

Professional support

I still have but want a public following to keep the community aware

Describe the bug

Hi,

my glpi server is 10.0.18, windows clients report with glpi-agent 1.15. Web server is apache with Let's encrypt certificates.

Most clients report inventory without problems, but a few clients won't report. After increasing log verbosity I noticed the following in agent log on problematic clients:

[error] cannot parse C:/Program Files/GLPI-Agent/var/keystore-export-_7omPu/temp.cer as PEM X509 cert: error:0688010A:asn1 encoding routines::nested asn1 error at C:/Program Files/GLPI-Agent/perl/agent/GLPI/Agent/HTTP/Client.pm line 694 thread 1.

After some troubleshooting I noticed certain certificates in windows certificate store, installed by other application, are the cause. Once these certificates are removed from windows certificate store clients report fine.

I cannot just remove these certificates as they are needed for daily operations of my users. Problematic certificate seems to be root CA of Ministry of Interior of Serbia, used (among others) in application for reading data from chips on citizens' ID cards.

I can provide problematic certificate if needed.

What would be the purpose of glpi-agents' scanning windows certificate stores and exporting certificates? They do not seem to be reported in inventory.

Thank you in advance.

To reproduce

1. Install software for reading data from ID cards as instructed on (apparently in Serbian only) on Serbia MUP website.
2. Install latest glpi-agent (preferrably with increased verbosity and delaytime) and wait for first report
3. Observe error in logs

Expected behavior

glpi-agent shoud report inventory regardless of additional certificates in windows certificate store

Operating system

Windows

GLPI Agent version

v1.15

GLPI version

10.0.18

GLPIInventory plugin or other plugin version

No response

Additional context

No response

[g-bougard]

Hi @pacija

the problem is that certificate seems to make OpenSSL crash the thread.

You can share the certificate, I'll try to see if I can avoid the crash itself.

But to fix your problem and as you're using a Let's encrypt certificates on your GLPI server signed by publicly know authority, you can just skip the Microsoft Keystore export as you hindeed not need it. You can skip it by setting ssl-keystore option to "none". You can set it when installing using SSL_KEYSTORE=none as installer option.

[pacija]

Hi @g-bougard

Thank you for your quick response.

I can confirm installation with SSL_KEYSTORE=none reports inventory without problems even with problematic certificate present in Microsoft Keystore. Thank you for workaround advice.

I am sending verbose logs from both installations as well as problematic certificate, perhaps it will help pinpoint cause of the crash. I redacted some sensitive info such as URL of glpi server, IP address of client, as well as complete inventory section. I also renamed extension of certificate from .cer to .txt in order to be able to upload it. Should you need more info I'd be glad to provide it.

glpi-agent_with_SSL_KEYSTORE_none.log

glpi-agent_without_SSL_KEYSTORE_none.log

temp.txt

[g-bougard]

Hi @pacija

indeed, it seems this certificate is encoded in PEM format where others are not. The file is the result of using certutil command with -encode option. Glpi-agent uses this command (a windows standard command) and now it seems to me to not encode certificates in the same way. To me, this may be a windows bug, but I should indeed find a better way to export certificate in a safer way. I may have assume stored certificates is done in the same way.

[g-bougard]

Hi @pacija

can you test the windows build from this github artifact ?
https://github.com/glpi-project/glpi-agent/actions/runs/19902460684/artifacts/4754130259

This is a try to refacto the keystore support using native win32 API. The process is still far more performant than using certutil command.

Don't forget to reset ssl-keystore configuration (don't have it set to none for the test). I'm curious to know how your specific certificate case is handled with this build.

[pacija]

hi @g-bougard,

sorry for late reply and thank you for installer. Hopefully I'll be able to test it next week and report here.

[g-bougard]

Hi,

don't worry, I still see some issues with this build.