Forum Discussion

llama's avatar
llama
Icon for Neophyte rankNeophyte
21 days ago
Solved

Adding additional Root and Intermediate CA certificates to Linux collector.

Hello,

I have some https website tests that are failing because the Root and Intermediate CA certificates are not in the collector trust store.

I have added the certificates into /etc/ssl/certs and ran sudo update-ca-certificates.

openssl s_client connection now verifies the certificate chain, however the website test still fails with the same error.

does the collector use a different trust store to the standard package installed to the Ubuntu 22.04 OS?

I'm assuming that as it's mostly Java based there is a particular module or something that uses a different trust store.

I can't find any information about this elsewhere.

The CA's in question are:

SectigoRSADomainValidationSecureServerCA.crt
SecureCertificateServices.crt

/etc/ssl/certs/

lrwxrwxrwx 1 root root   19 Jul 21 17:19  75583d7f.0 -> SecureCertificateServices.pem
lrwxrwxrwx 1 root root   44 Jul 21 17:19  65ff7287.0 -> SectigoRSADomainValidationSecureServerCA.pem

you can see here the openssl verification of the chain:

    Start Time: 1753171962
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

Then the website check step failing:

One other minor frustration is in the debug runner, !opssl is listed as a valid command, however when trying to run it, it says unknown debug command, really not all that useful so I can to connect to the customer environment and directly ssh to the collectors to even begin troubleshooting because there was no real useful information returned in the UI.

  • llama's avatar
    llama
    8 days ago

    Just to close this one down, it seems there is an issue with TLS negotiation, so it's a 3rd party issue.

    LM support fed the following back:

    While both certificates are trusted and valid when accessed via a browser, the LogicMonitor collector's internal HTTP client is encountering a fatal TLS handshake error with the message: "Received fatal alert: protocol_version."

     

    We also ran !ssltest, which confirmed that the server advertises support for TLSv1.2 and that the certificate chain is valid. However, despite this, the collector is unable to complete the handshake due to an incompatibility in how the endpoint negotiates TLS during connection establishment. This can be caused by:

    • An unsupported or non-standard TLS handshake response
    • TLS header behavior that differs from RFC-compliant expectations
    • Cipher suite ordering or compatibility issues

1 Reply

  • llama's avatar
    llama
    Icon for Neophyte rankNeophyte
    8 days ago

    Just to close this one down, it seems there is an issue with TLS negotiation, so it's a 3rd party issue.

    LM support fed the following back:

    While both certificates are trusted and valid when accessed via a browser, the LogicMonitor collector's internal HTTP client is encountering a fatal TLS handshake error with the message: "Received fatal alert: protocol_version."

     

    We also ran !ssltest, which confirmed that the server advertises support for TLSv1.2 and that the certificate chain is valid. However, despite this, the collector is unable to complete the handshake due to an incompatibility in how the endpoint negotiates TLS during connection establishment. This can be caused by:

    • An unsupported or non-standard TLS handshake response
    • TLS header behavior that differs from RFC-compliant expectations
    • Cipher suite ordering or compatibility issues