Hi again, sorry for the SPAM. I figured the issue and wanted to send the resolution to the group, in case someone has a similar problem.
The problem was the scanner verification of the openvasmd. When I ran openvasmd --verify-scanner with the default scanner id, it said "failed" (this should be more verbose in my opinion, as "failed" is not helpful). So I used openvasmd --create-scanner to create a new local OpenVAS scanner instance and change my scan config to use this instead of the default one. This seems to have resolved the issue. I suggest, that the OpenVAS team adds a little better logging. It's very frustrating to spend two days troubleshooting because of missing/insufficient logging. Winni > From: "Winfried Neessen" <[email protected]> > To: "openvas-discuss" <[email protected]> > Sent: Thursday, July 16, 2015 3:52:40 PM > Subject: Re: [Openvas-discuss] TLS error when trying to launch scan > Holy moli... > now that I saw my mail, I see the: > - Status: The certificate is NOT trusted. The name in the certificate does not > match the expected. > warning. Looks like this might be the issue. > Winni >> From: "Winfried Neessen" <[email protected]> >> To: "openvas-discuss" <[email protected]> >> Sent: Thursday, July 16, 2015 3:50:23 PM >> Subject: Re: [Openvas-discuss] TLS error when trying to launch scan >> Hi, >> any other suggestions on how to troubleshoot this? It definetely seems to be >> GnuTLS related, but I am not able to figure out what happens. gnutls-cli is >> able >> to connect: >> % sudo gnutls-cli --x509cafile /usr/pkg/openvas/var/lib/openvas/CA/cacert.pem >> --x509certfile /usr/pkg/openvas/var/lib/openvas/CA/clientcert.pem >> --x509keyfile >> /usr/pkg/openvas/var/lib/openvas/private/CA/clientkey.pem --insecure -p 9391 >> localhost >> Processed 1 CA certificate(s). >> Processed 1 client X.509 certificates... >> Resolving 'localhost'... >> Connecting to '::1:9391'... >> Connecting to '127.0.0.1:9391'... >> - Certificate type: X.509 >> - Got a certificate list of 1 certificates. >> - Certificate[0] info: >> - subject `C=DE,ST=NRW,L=Cologne,O=cleverbridge AG,OU=Server certificate for >> netscan.cgn.cleverbridge.com,CN=netscan.cgn.cleverbridge.com,[email protected]', >> issuer `C=DE,ST=NRW,L=Cologne,O=cleverbridge AG,OU=Certification Authority >> for >> netscan.cgn.cleverbridge.com,CN=netscan.cgn.cleverbridge.com,[email protected]', >> RSA key 4096 bits, signed using RSA-SHA256, activated `2015-07-14 12:40:08 >> UTC', expires `2016-07-13 12:40:08 UTC', SHA-1 fingerprint >> `03d157c0bb49caff86e9494862bbe72f17977b52' >> Public Key ID: >> 4917ebe77e2ec221116f0210458c9d27fee3e97a >> Public key's random art: >> +--[ RSA 4096]----+ >> | oOo. . | >> | . * o o | >> | . +.oo | >> | ..o+o | >> | .S+. . | >> | + .o | >> | . = .. | >> | E o.. . | >> | .+. ..+. | >> +-----------------+ >> - Status: The certificate is NOT trusted. The name in the certificate does >> not >> match the expected. >> *** PKI verification of server certificate failed... >> - Successfully sent 1 certificate(s) to server. >> - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM) >> - Session ID: >> D7:4B:24:A4:55:5B:75:17:ED:3E:96:65:7A:72:31:FB:F7:E1:A6:AD:55:9F:69:5A:F6:AC:B7:C0:CF:A5:B8:02 >> - Ephemeral EC Diffie-Hellman parameters >> - Using curve: SECP256R1 >> - Curve size: 256 bits >> - Version: TLS1.2 >> - Key Exchange: ECDHE-RSA >> - Server Signature: RSA-SHA256 >> - Client Signature: RSA-SHA256 >> - Cipher: AES-128-GCM >> - MAC: AEAD >> - Compression: NULL >> - Options: extended master secret, safe renegotiation, >> - Handshake was completed >> - Simple Client Mode: >> Any help is highly appreciated. >> Winni >>> From: "Eero Volotinen" <[email protected]> >>> To: "Winfried Neessen" <[email protected]> >>> Cc: "openvas-discuss" <[email protected]> >>> Sent: Tuesday, July 14, 2015 3:56:03 PM >>> Subject: Re: [Openvas-discuss] TLS error when trying to launch scan >>> Try restarting services again.sounds like (new) certificates are not loaded >>> to >>> services. >>> 14.7.2015 4.10 ip. "Winfried Neessen" < [email protected] > >>> kirjoitti: >>>> Hi, >>>> my redis-server is running. Also I doubt that this has s. th. to do with >>>> redis, >>>> as the error says something >>>> about a non-properly terminated TLS connection. >>>> So I did a strace on the openvassd and found some messages about an >>>> untrusted >>>> certificate. I then recreated >>>> the CA, server and client certificates via openvas-mkcert -f and >>>> openvas-mkcert-client -i -n and restarted >>>> the services. >>>> Now when I try to resume the job, it always tells me: 503 Service >>>> temporarly >>>> down in the notice box of >>>> GSA. >>>> Any other suggestions? >>>> Thanks >>>> Winni >>>>> From: "Eero Volotinen" < [email protected] > >>>>> To: "Winfried Neessen" < [email protected] > >>>>> Cc: "openvas-discuss" < [email protected] > >>>>> Sent: Tuesday, July 14, 2015 12:10:47 PM >>>>> Subject: Re: [Openvas-discuss] TLS error when trying to launch scan >>>>> Check your redis-server configuration. >>>>> 14.7.2015 1.09 ip. "Winfried Neessen" < [email protected] > >>>>> kirjoitti: >>>>>> Hi, >>>>>> I am trying to launch a scan in my OpenVAS instance. Once I press the >>>>>> "play"-button, it says >>>>>> "Requested" but after a second it already says: "Stopped at 1%". The >>>>>> openvasmd.log says: >>>>>> md main:WARNING:2015-07-14 10h06.49 UTC:24191: openvas_scanner_read: >>>>>> failed to >>>>>> read from server: The TLS connection was non-properly terminated. >>>>>> event task:MESSAGE:2015-07-14 10h06.49 UTC:24191: Status of task Test >>>>>> network >>>>>> scan CGN (2fa50913-5928-4122-91a6-0c5251ecce56) has changed to Requested >>>>>> event task:MESSAGE:2015-07-14 10h06.49 UTC:24191: Task >>>>>> 2fa50913-5928-4122-91a6-0c5251ecce56 has been resumed by wneessen >>>>>> md main:WARNING:2015-07-14 10h06.51 UTC:24193: openvas_scanner_read: >>>>>> failed to >>>>>> read from server: The specified session has been invalidated for some >>>>>> reason. >>>>>> event task:MESSAGE:2015-07-14 10h06.51 UTC:24193: Status of task Test >>>>>> network >>>>>> scan CGN (2fa50913-5928-4122-91a6-0c5251ecce56) has changed to Stopped >>>>>> md main:WARNING:2015-07-14 10h06.51 UTC:24193: sql_close: attempt to >>>>>> close db >>>>>> with open statement(s) >>>>>> Any idea what to do? >>>>>> Thanks >>>>>> Winni >>>>>> _______________________________________________ >>>>>> Openvas-discuss mailing list >>>>>> [email protected] >>>>>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss >>>> _______________________________________________ >>>> Openvas-discuss mailing list >>>> [email protected] >>>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss >> _______________________________________________ >> Openvas-discuss mailing list >> [email protected] >> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > _______________________________________________ > Openvas-discuss mailing list > [email protected] > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
