Hi Arefin,
Thanks for the response. But the issue seems to be something else. I am
getting the same error again though i used 600 or 640.
On Mon, Nov 10, 2014 at 10:10 PM, M. A. Arefin <arefin....@gmail.com> wrote:
> I had a similar problem! Apparently the file permission on the certs was
> too open! Reducing the file permission to something like 640 or 600 solve
> the problem for me. Pardon me if this is not the case.
>
> On Mon, Nov 10, 2014 at 1:59 AM, Dharm S <dharm.sk2...@gmail.com> wrote:
>
>> Hi All,
>>
>> I have generated certificates and used the keys while entering the SNMP
>> commands. I ran snmpd after entering the following lines in snmp.conf:
>>
>> peerCert 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
>> localCert 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6
>>
>> where peerCert is the fingerprint of snmpd.crt and localCert in
>> manager.crt.
>>
>> And in snmpd.conf, I have:
>>
>> [snmp] localCert
>> 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
>> certSecName 10
>> 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 --cn
>>
>> The snmpget dtlsudp:localhost:10161 sysContact.0 gives following debug
>> messages:
>> cert:util:init: init
>> cert:index:add: dir /usr/local/etc/snmp/tls/ca-certs at index 0
>> cert:index:add: dir /home/anjali/.snmp/tls/certs at index 4
>> cert:index:add: dir /usr/local/etc/snmp/tls/private at index 2
>> cert:index:add: dir /home/anjali/.snmp/tls/private at index 5
>> cert:index:add: dir /home/anjali/.snmp/tls/ca-certs at index 3
>> cert:index:add: dir /usr/local/etc/snmp/tls/certs at index 1
>> cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/ca-certs
>> cert:index:lookup: /usr/local/etc/snmp/tls/ca-certs (0)
>> /var/net-snmp/cert_indexes/0
>> cert:index:parse: The index for /usr/local/etc/snmp/tls/ca-certs looks
>> good
>> cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/certs
>> cert:index:lookup: /usr/local/etc/snmp/tls/certs (1)
>> /var/net-snmp/cert_indexes/1
>> cert:index:parse: The index for /usr/local/etc/snmp/tls/certs looks good
>> cert:index:parse: added 2 certs from index
>> cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/private
>> cert:index:lookup: /usr/local/etc/snmp/tls/private (2)
>> /var/net-snmp/cert_indexes/2
>> cert:index:parse: The index for /usr/local/etc/snmp/tls/private looks good
>> cert:key:struct:new: new key 0x0x9f81438 for manager.key
>> cert:key:struct:new: new key 0x0x9f81388 for snmpd.key
>> cert:index:parse: added 2 certs from index
>> cert:index:dir: Scanning directory /home/anjali/.snmp/tls/ca-certs
>> cert:index:lookup: /home/anjali/.snmp/tls/ca-certs (3)
>> /var/net-snmp/cert_indexes/3
>> cert:index:parse: The index for /home/anjali/.snmp/tls/ca-certs looks good
>> cert:index:dir: Scanning directory /home/anjali/.snmp/tls/certs
>> cert:index:lookup: /home/anjali/.snmp/tls/certs (4)
>> /var/net-snmp/cert_indexes/4
>> cert:index:parse: The index for /home/anjali/.snmp/tls/certs looks good
>> cert:index:dir: Scanning directory /home/anjali/.snmp/tls/private
>> cert:index:lookup: /home/anjali/.snmp/tls/private (5)
>> /var/net-snmp/cert_indexes/5
>> cert:index:parse: The index for /home/anjali/.snmp/tls/private looks good
>> cert:partner: manager.crt match found!
>> cert:partner: snmpd.crt match found!
>> cert:key:read: Checking file snmpd.key
>> cert:key:read: Checking file manager.key
>> cert:dump: -------------------- Certificates -----------------
>> cert:dump: cert snmpd.crt in /usr/local/etc/snmp/tls/certs
>> cert:dump: type 1 flags 0x3 (identity+remote_peer)
>> cert:dump: cert manager.crt in /usr/local/etc/snmp/tls/certs
>> cert:dump: type 1 flags 0x3 (identity+remote_peer)
>> cert:dump: key manager.key in /usr/local/etc/snmp/tls/private
>> cert:dump: type 4 flags 0x1 (identity)
>> cert:dump: key snmpd.key in /usr/local/etc/snmp/tls/private
>> cert:dump: type 4 flags 0x1 (identity)
>> cert:dump: ------------------------ End ----------------------
>> cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
>> cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint
>> 167466280
>> cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint
>> 167466280
>> cert:find:params: hint =
>> 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6
>> cert:find:found: using cert manager.crt /
>> 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
>> (uses=identity+remote_peer (3))
>> cert:find:found: using cert manager.crt /
>> 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
>> (uses=identity+remote_peer (3))
>> cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0
>> cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
>> 167493864
>> cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
>> 167493864
>> cert:find:params: hint =
>> 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
>> cert:find:found: using cert snmpd.crt /
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
>> (uses=identity+remote_peer (3))
>> cert:find:found: using cert snmpd.crt /
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
>> (uses=identity+remote_peer (3))
>> cert:trust_ca: checking roots for 0x9f80f08
>> cert:trust: putting trusted cert 0x9f81f70 =
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 in certstore 0x9fd36d0
>> cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
>> 167598104
>> cert:find:params: hint = 8954990382e414a949d54638c05fb5b2b82771c6
>> cert:find:found: using cert manager.crt /
>> 8954990382e414a949d54638c05fb5b2b82771c6 for remote_peer(2)
>> (uses=identity+remote_peer (3))
>> cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0
>> cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
>> 167493864
>> cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
>> 167493864
>> cert:find:params: hint =
>> 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
>> cert:find:found: using cert snmpd.crt /
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
>> (uses=identity+remote_peer (3))
>> cert:find:found: using cert snmpd.crt /
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
>> (uses=identity+remote_peer (3))
>> The fingerprint from the remote side's certificate didn't match the
>> expected
>> got 8954990382e414a949d54638c05fb5b2b82771c6, expected
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
>> DTLSUDP: failed to verify ssl certificate (of the server)
>> tsm: needed to free transport data
>> The fingerprint from the remote side's certificate didn't match the
>> expected
>> got 8954990382e414a949d54638c05fb5b2b82771c6, expected
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
>> DTLSUDP: failed to verify ssl certificate (of the server)
>> tsm: needed to free transport data
>> The fingerprint from the remote side's certificate didn't match the
>> expected
>> got 8954990382e414a949d54638c05fb5b2b82771c6, expected
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
>> DTLSUDP: failed to verify ssl certificate (of the server)
>> tsm: needed to free transport data
>> The fingerprint from the remote side's certificate didn't match the
>> expected
>> got 8954990382e414a949d54638c05fb5b2b82771c6, expected
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
>> DTLSUDP: failed to verify ssl certificate (of the server)
>> tsm: needed to free transport data
>> The fingerprint from the remote side's certificate didn't match the
>> expected
>> got 8954990382e414a949d54638c05fb5b2b82771c6, expected
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
>> DTLSUDP: failed to verify ssl certificate (of the server)
>> tsm: needed to free transport data
>> The fingerprint from the remote side's certificate didn't match the
>> expected
>> got 8954990382e414a949d54638c05fb5b2b82771c6, expected
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
>> DTLSUDP: failed to verify ssl certificate (of the server)
>> failed rfc5343 contextEngineID probing
>> snmpwalk: Timeout (Success)
>>
>> But if i comment peerCert and localCert and run snmpd with fingerprints
>> entered in command line, I get the output.
>>
>> snmpget -v 3 -u final --defSecurityModel=tsm -T
>> our_identity=89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 -T
>> their_identity=09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
>> dtlsudp:localhost:10161 sysContact.0 -Dcert
>>
>> output:
>> cert:util:init: init
>> cert:index:add: dir /usr/local/etc/snmp/tls/ca-certs at index 0
>> cert:index:add: dir /home/anjali/.snmp/tls/certs at index 4
>> cert:index:add: dir /usr/local/etc/snmp/tls/private at index 2
>> cert:index:add: dir /home/anjali/.snmp/tls/private at index 5
>> cert:index:add: dir /home/anjali/.snmp/tls/ca-certs at index 3
>> cert:index:add: dir /usr/local/etc/snmp/tls/certs at index 1
>> cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/ca-certs
>> cert:index:lookup: /usr/local/etc/snmp/tls/ca-certs (0)
>> /var/net-snmp/cert_indexes/0
>> cert:index:parse: The index for /usr/local/etc/snmp/tls/ca-certs looks
>> good
>> cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/certs
>> cert:index:lookup: /usr/local/etc/snmp/tls/certs (1)
>> /var/net-snmp/cert_indexes/1
>> cert:index:parse: The index for /usr/local/etc/snmp/tls/certs looks good
>> cert:index:parse: added 2 certs from index
>> cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/private
>> cert:index:lookup: /usr/local/etc/snmp/tls/private (2)
>> /var/net-snmp/cert_indexes/2
>> cert:index:parse: The index for /usr/local/etc/snmp/tls/private looks good
>> cert:key:struct:new: new key 0x0x97b6218 for manager.key
>> cert:key:struct:new: new key 0x0x97b6168 for snmpd.key
>> cert:index:parse: added 2 certs from index
>> cert:index:dir: Scanning directory /home/anjali/.snmp/tls/ca-certs
>> cert:index:lookup: /home/anjali/.snmp/tls/ca-certs (3)
>> /var/net-snmp/cert_indexes/3
>> cert:index:parse: The index for /home/anjali/.snmp/tls/ca-certs looks good
>> cert:index:dir: Scanning directory /home/anjali/.snmp/tls/certs
>> cert:index:lookup: /home/anjali/.snmp/tls/certs (4)
>> /var/net-snmp/cert_indexes/4
>> cert:index:parse: The index for /home/anjali/.snmp/tls/certs looks good
>> cert:index:dir: Scanning directory /home/anjali/.snmp/tls/private
>> cert:index:lookup: /home/anjali/.snmp/tls/private (5)
>> /var/net-snmp/cert_indexes/5
>> cert:index:parse: The index for /home/anjali/.snmp/tls/private looks good
>> cert:partner: manager.crt match found!
>> cert:partner: snmpd.crt match found!
>> cert:key:read: Checking file snmpd.key
>> cert:key:read: Checking file manager.key
>> cert:dump: -------------------- Certificates -----------------
>> cert:dump: cert snmpd.crt in /usr/local/etc/snmp/tls/certs
>> cert:dump: type 1 flags 0x3 (identity+remote_peer)
>> cert:dump: cert manager.crt in /usr/local/etc/snmp/tls/certs
>> cert:dump: type 1 flags 0x3 (identity+remote_peer)
>> cert:dump: key manager.key in /usr/local/etc/snmp/tls/private
>> cert:dump: type 4 flags 0x1 (identity)
>> cert:dump: key snmpd.key in /usr/local/etc/snmp/tls/private
>> cert:dump: type 4 flags 0x1 (identity)
>> cert:dump: ------------------------ End ----------------------
>> cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint
>> 159287896
>> cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint
>> 159287896
>> cert:find:params: hint =
>> 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6
>> cert:find:found: using cert manager.crt /
>> 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
>> (uses=identity+remote_peer (3))
>> cert:find:found: using cert manager.crt /
>> 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
>> (uses=identity+remote_peer (3))
>> cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
>> 159374304
>> cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
>> 159374304
>> cert:find:params: hint =
>> 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
>> cert:find:found: using cert snmpd.crt /
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
>> (uses=identity+remote_peer (3))
>> cert:find:found: using cert snmpd.crt /
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
>> (uses=identity+remote_peer (3))
>> cert:trust_ca: checking roots for 0x97b5ce0
>> cert:trust: putting trusted cert 0x97b6d50 =
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 in certstore 0x980f408
>> cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
>> 159374304
>> cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
>> 159374304
>> cert:find:params: hint =
>> 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
>> cert:find:found: using cert snmpd.crt /
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
>> (uses=identity+remote_peer (3))
>> cert:find:found: using cert snmpd.crt /
>> 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
>> (uses=identity+remote_peer (3))
>> SNMPv2-MIB::sysContact.0 = STRING: Me <m...@example.org>
>>
>> After this i uncomment peerCert and localCert in snmp.conf, and I am able
>> to get the output using just
>>
>> snmpget dtlsudp:localhost:10161 sysContact.0
>>
>> Can anyone help me in understanding what makes it read while modifying
>> snmp.conf when snmpd is running and it doesnt read the fingerprints as
>> required with initial configuration????
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Net-snmp-users mailing list
>> Net-snmp-users@lists.sourceforge.net
>> Please see the following page to unsubscribe or change other options:
>> https://lists.sourceforge.net/lists/listinfo/net-snmp-users
>>
>>
>
>
> --
> M. A. Arefin
>
> 240.401.7074 (cell)
>
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
