Forum Discussion

Kirby_Timm's avatar
Kirby_Timm
Icon for Neophyte rankNeophyte
11 days ago
Solved

SSLError for HTTPS module

LogicMonitor is telling me that one of my FortiGate firewalls, which uses a self signed cert for the GUI, is giving a couple of errors.  One error was "days remaining" for the SSL certificate and the...
  • Kirby_Timm's avatar
    Kirby_Timm
    3 days ago

    For anyone else that may be looking at this in the future, support has supplied me with a solution that works.
    In LogicMonitor, Open up Settings -> Collectors -> [locate the Collector in question] -> Collector Configuration -> Wrapper Config
    Within wrapper config, look at all the "wrapper.java.additional.##" where the ## is going to be a number starting at 1 and incrementing by 1.  For example in my environment I had 
    wrapper.java.additional.1 - wrapper.java.additional.28
    Add 1 to the last wrapper.java.additional.## (so for me it would be wrapper.java.additional.29) and add the following line to the end of your config
    wrapper.java.additional.29=-Djdk.tls.maxHandshakeMessageSize=50000
    Then click "save and restart" to restart the collector.  This solved the issue.  
    The "why" is a bit more iffy.  According to LogicMonitor support:
    It looks like it was basically just buffer overflow protection built in to the Collector. We have a buffer of 32KiB for the handshake response, if the response exceeds that buffer size we discard it as invalid. To be clear, the following is conjecture, but I figure what's going on here is that most SSL handshake responses are less than 32KiB, so that value was probably chosen arbitrarily as 'good enough' for most cases. Given that the SSL handshake response contains the entire certificate chain, if the chain is long enough it could in theory exceed that buffer size, which I assume is why the developers offered this as a knob to turn in the config. According some random sources I found online, a typical enterprise certificate chain for an internal server using TLS 1.2 can be 6-10KiB, so 32KiB should be enough in most cases. Looks like in this case it wasn't.

     

Kirby_Timm's avatar
Kirby_Timm
Icon for Neophyte rankNeophyte
7 days ago

Browser throws an error because it's selfsigned, but LogicMonitor never had an issue with that before and doesn't have an issue with my other 5 fortinet clusters running selfsigned certs either.

 

Mike_Moniz's avatar
Mike_Moniz
Icon for Professor rankProfessor
7 days ago

Specifically with the message "net::ERR_CERT_AUTHORITY_INVALID" and not another like "NET::ERR_CERT_INVALID" or "NET::ERR_Cert_Weak_Signature_Algorithm_Error"?

Perhaps worth adding that URL as a website check in LM just as a test and see if gives you more details? You can also try looking at the wrapper/smproxy log files on the collector to see if that provide more details.

  • Kirby_Timm's avatar
    Kirby_Timm
    Icon for Neophyte rankNeophyte
    5 days ago

    Correct, it's specifically net::ERR_CERT_AUTHORITY_INVALID which is the same error I get from my other 5 sites running self signed certs but are not throwing any error in logicmonitor.  I tried running the website checker but we don't have the licensing for that so it's not setup for anything and just tosses an error.  I'll have to look deeper into how to set that up.  I also didn't find wrapper/smproxy log files so I'll also have to look into where to find those.