SSL Fingerprint not working

[cab-lmsys]

Documentation & bug reporting acknowledgment

Yes, I read it

Describe your problem

After installing GLPI-Agent AppImage, I run following command to get GLPI server SSL fingerprint

echo | openssl s_client -connect my-glpi-server:443 2>/dev/null \
  | openssl x509 -noout -fingerprint -sha256 \
  | sed 's/SHA256 Fingerprint=//; s/://g; y/ABCDEF/abcdef/' \
  | awk '{ print "sha256$" $1 }'

Then in agent config file, added following option
ssl-fingerprint = sha256$<lowercase-hex-string>

But I still have following message in logs

[info] sending prolog request to server0
[error] [http client] internal response: 500 SSL_ca_file /etc/ssl/certs/ca-certificates.crt can't be used: No such file or directory
[error] No supported answer from server at https://my-glpi-server

I tried to set property manually in command line but still have same error
glpi-agent --ssl-fingerprint sha256$<lowercase-hex-string> --debug

In documentation I found

The fingerprint to use can be retrieved in agent log by temporarily enabling no-ssl-check option.

but I was expecting to be able to use ssl-fingerprint without running no-ssl-check inventory by get fingerprint with command line

Installed version

glpi-agent --version
GLPI Agent (1.14-1)
Built by Debian
Source time: 2025-04-17 10:04

[g-bougard]

Hi @cab-lmsys

maybe the default ssl server side behind my-glpi-server:443 doesn't use the expected glpi server certificate.

If you want a one-liner to extract the expected fingerprint, you can use perl this way:

perl -MLWP::UserAgent -e '$ua = LWP::UserAgent->new(keep_alive => 1); $ua->ssl_opts(verify_hostname => 0, SSL_verify_mode => 0); $req = $ua->request(HTTP::Request->new(GET => $ARGV[0])); ($s) = $ua->conn_cache->get_connections("https"); print $s->get_fingerprint(), "\n"' https://my-glpi-server/glpi

Of course, replace the URL by your own glpi server url.

About your error:

[error] [http client] internal response: 500 SSL_ca_file /etc/ssl/certs/ca-certificates.crt can't be used: No such file or directory

It means you have ca-cert-file set somewhere in your configuration. It will be used first in place of ssl-fingerprint if set. You have to comment it in your config.

Last point, when using glpi-agent --ssl-fingerprint sha256$<lowercase-hex-string> --debug on the command line, you take the risk $<lowercase-hex-string> is interpreted as a shell variable, please quote it this way:

glpi-agent --ssl-fingerprint 'sha256$<lowercase-hex-string>' --debug

[cab-lmsys]

Hi @g-bougard

Thanks for your reply.

I've compared the fingerprint I obtain in command line and the perl command you provided and values were the same (also displayed in logs with --no-ssl-check option on another host).

I edited /etc/glpi-agent/agent.cfg file and commented all lines (even if values where empty)

#
# Network options
#

# proxy address
#proxy =
# user name for server authentication
#user =
# password for server authentication
#password =
# CA certificates directory
#ca-cert-dir =
# CA certificates file
#ca-cert-file =
# do not check server SSL certificate
no-ssl-check = 0
# connection timeout, in seconds
timeout = 180

in my custom conf file I have only

#
# Network options
#
# SSL Fingerprint of GLPI server to trust
ssl-fingerprint = sha256$<lowercase-hex-string>

I also tried with quotes in command line without success
glpi-agent --ssl-fingerprint 'sha256$<lowercase-hex-string>'

[cab-lmsys]

I have check on a Redhat 8 host and got the same result

Host details:

# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.10 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.10"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.10 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.10
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.10"

# dnf list installed | grep certificates
ca-certificates.noarch                        2023.2.60_v7.0.306-80.0.el8_8              @anaconda
subscription-manager-rhsm-certificates.noarch 20220623-1.el8                             @anaconda

[g-bougard]

And what's the result of ls -l /etc/ssl/certs/ca-certificates.crt ?

Then can you better use the rpm package in place of the AppImage and this distro as this is supported ? You can use the perl linux installer to simplify the installation.

[cab-lmsys]

I don't have any /etc/ssl/certs/ca-certificates.crt file

ll /etc/ssl/certs/
total 0
lrwxrwxrwx. 1 root root 49 Aug 22  2024 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Aug 22  2024 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

I can't use rpm package because installation requires enabling codeready builder repo which is not approved by our client manufacturing team.

If it's not possible to solve this issue I will use the workaround with /etc/glpi-agent/glpi-ca.pem file, but I would have preferred to use the fingerprint option.

[g-bougard]

You probably can create a symbolic link: ln -s ca-bundle.crt /etc/ssl/certs/ca-certificates.crt

[cab-lmsys]

Yes with symlink it works, thanks!