[Fusioninventory-user] Issues with Windows Agent Installer and SSL

[Joseph Carroll]

Per Guillaume R.'s suggestion to post these issue to either the user
list or user forum rather than post helpful information in tandem with
the resolution of the bug ticket submitted, I'll post this here.

There were a lot of 'feature' implementations and 'bug' type
configuration issues submitted in the one ticket below that caused the
actual agent scripts to not function appropriately, or not work entirely
with no log produced.  Yes, a SSL "misconfiguration" seems to be the
culprit, but this "misconfiguration" can happen and should be logged and
at least warned against.  There is minimal documentation on the windows
installer settings which are just ported from the linux version and you
have to go to the linux help to find decent info, but even then it is
lacking in detail.  The online forum posts and general googling produce
half answers that seem to have been abandoned rather than resolved.

------- The Issue at hand:  Agent SSL authentication to the
GLPI/FusionInventory server when installed via the Windows Installer
package does not connect.  This may only be affecting the windows
installer package implementation and not the actual implementation of
the agent on other operating system or when building from source.  The
below post is copied from the bug ticket #3010 submitted:

The windows agent doesn't make a successful connection via SSL [When
there are no SSL options configured] (This is the infamous and poorly
documented Gateway 500 error that IS successfully logged.  Cannot make
communication to the server.  However, there is no warning regarding SSL
authentication or certificate issues.),  This occurs when you use
https:// for the remote target with no SSL options set.

nor does setting the force inventory/discovery options at the end of the
installer actually initiate any requests (through the wire[using
wireshark,tcpdump]) to the GLPI/FusionInventory server after a
re-installation of the windows agent software [Using either different or
the same options]. (This should be a bug as every time the software is
reinstalled it should perform the tasks dependent on the delay provided
by the installer/script or immediately upon completion [clicking
'Finish' on the installer package.]  But they don't seem to run within
the time specified like it is waiting on an already defined resync time
setting [which looks to be undocumented].  Reinstalling, uninstalls the
product and reinstalls it, but it doesn't act fresh-- because I
immediately got results when using HTTP url within 3 minutes of
installation.

Perhaps this a defined option that is not cleansed with the uninstall
script.

(This is more of a bug/feature request because there is no log produced
when the above bug is produced.  For god sake please implement a wrapper
around this section for debugging as everyone should be using SSL on
their GLPI server and if they mis-configured the SSL Options- nothing.)
There is also absolutely no log file produced regardless of the level of
DEBUG set by the installer. Is this debug level of the installer itself
or then entire agent system?-- by either the BATCH scripts or perl
scripts when this fails- so debugging the issue is difficult without
file system/registry real-time analysis.

It worked perfectly through regular HTTP. After resetting it from HTTPS
to HTTP [For the FusionInventory URL] the inventory was processed, but
was delayed a few minutes [Perhaps this was due to the set option 'Delay
First Trigger' 3600?]- I have attempted to set this to 0-60 to speed it
up for the HTTPS connection but just sat there for 30 minutes doing
nothing.

Also, (This is a bug related to the SSL options specifically as it
totally breaks the user agent web portal- when it has nothing to do with
it.  The checkbox option 'Enable client HTTP server' is checked and
makes no note of using HTTPS, or that the SSL options are for this as it
is 2 pages down the installer...  checking for this using cmd netstat
-abn produces nothing on port 80)
The service is running; the option to enable the embedded HTTP server is
checked during installation; but the HTTP server never starts on port 80
when you set the settings for SSL in the installer. It miraculously
reappears when the SSL settings are removed. (It does, so SSL options
being set in the installer breaks, can you confirm?)

Server:
Ubuntu 14.04.2 Updated
Apache2 (Comes with mod ssl enabled.)
mysql-server
php5
php5-mysql
php5-gd
plugins directory recursively chmod 755 with chown www-data user/group.

Client: (Using x86 version of the installer.)
Windows 7 (x64) Professional SP1

The SSL option is confusing in the installer as well, is the the
certificate of the signing authority [Public or Private] converted into
pem format; or is this the certificate of the server of the
GLPI/FusionInventory server that was signed by the CA? [The signing
authority makes more sense]. I see it is documented that the
'Certificate URI' is not implemented yet. I've tried both forms and
neither work and since the log isn't produced there is nothing to tell
me why it failed. Does it need the signing certificate authorities'
certificate because it doesn't query the built-in certificate store,
where this is already located?

------- End of post #3010.  G.R. I believe you could have produced some
reasonable answers to the issues above instead of chalking it all up to
the "My SSL doesn't work" response.  If you have no experience with the
windows installer and how it operates, please do not touch a ticket, but
add someone who does as a watcher.  You could of at the very least,
specified which issues in the above ticket were not reproducible and
requested further information.

Thanks and hope someone can shed some light on these issues I'm facing.
Joseph C.