所以我的证书在我的Open VAS安装上过期了.因此,我在尝试运行扫描时遇到以下错误.
操作:启动任务状态码:503状态消息:服务暂时关闭
我试过重新创建证书:
me@ovas:~$ sudo /usr/sbin/openvas-mkcert -q -f
[sudo] password for me:
me@ovas:~$ sudo /usr/bin/openvas-mkcert-client -n -i
Generating RSA private key, 4096 bit long modulus
........................++
..................................................................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Using configuration from /tmp/openvas-mkcert-client.28853/stdC.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
localityName :ASN.1 12:'Berlin'
commonName :ASN.1 12:'om'
Certificate is to be certified until Dec 5 12:38:09 2017 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
me@ovas:~$
然后重启......
然后一个用于Web界面正确切换,但似乎扫描仪一个不是?
这是在日志中:
lib serv:警告:2016-12-05 12h41.23 UTC:1533:无法与对等方握手:TLS连接未正确终止.事件任务:消息:2016-12-05 12h41.23 UTC:1533:管理员无法启动target.me(3aca3163-3de2-4519-92af-f649f6bedd7c)的任务扫描
检查Open VAS Script输出:
openvas-check-setup 2.3.7
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--v9'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.7.
OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
OK: redis-server is present in version v=3.0.6.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /var/run/redis/redis.sock
OK: redis-server is running and listening on socket: /var/run/redis/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /var/lib/openvas/plugins contains 50525 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
OK: The NVT cache in /var/cache/openvas contains 50548 files for 50525 NVTs.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 49328 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 6.0.11.
Step 5: Checking OpenVAS CLI ...
OK: OpenVAS CLI version 1.4.4.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
OK: OpenVAS Manager is running and listening on all interfaces.
OK: OpenVAS Manager is listening on port 9390, which is the default port.
OK: Greenbone Security Assistant is running and listening on all interfaces.
OK: Greenbone Security Assistant is listening on port 443, which is the default port.
Step 8: Checking nmap installation ...
WARNING: Your version of nmap is not fully supported: 7.01
SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
SUGGEST: Install required LaTeX packages.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
It seems like your OpenVAS-8 installation is OK.
If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
对于OP来说这个答案可能有点晚了,但是如果未来的Google员工到此为止,这对我有用:
我还得出结论,当我的OpenVAS扫描突然停止运行时,过期的证书就成了问题.使用openvas-check-setup命令告诉我一切都很好,但是当我尝试手动运行扫描时,我会得到相同的503服务不可用消息.查看日志(我的位置:/var/log/openvas/openvasmd.log)给了我一些线索,包括:
警告:2017-05-16 19h04.51 UTC:3687:gnutls_bye失败:推送功能出错.警告:2017-05-16 19h04.52 UTC:3686:openvas_server_verify:证书不可信警告:2017-05-16 19h04.52 UTC:3686:openvas_server_verify:证书已过期
我开始对gnutls_bye消息进行故障排除,因为单词Error往往比Warning更能引起注意,但最终证书就是问题.
我使用OP的mkcert命令的变体来生成新证书,但我相信他/她缺少的步骤是使用这些新证书更新扫描仪配置.
所以我更接近cert文件位置(cd/var/lib/openvas /)并运行以下命令:
openvasmd --modify-scanner <UUID> --scanner-ca-pub CA/cacert.pem --scanner-key-pub CA/clientcert.pem --scanner-key-priv private/CA/clientkey.pem
您需要替换正在修改的扫描仪的实际UUID.要获取扫描仪列表:
openvasmd --get-scanners
作为最终检查,您可以使用verify命令:
openvasmd --verify-scanner <UUID>
当它被打破时,我得到了非常无益的回应
无法验证扫描仪.
但是,一旦你的证书成功更新并与你的扫描仪相关联(你可能需要重新启动相关服务以获得良好的衡量标准,或者像我一样去懒惰/核路由并重新启动服务器),验证命令应该返回一些东西
扫描仪版本:OTP/2.0.
或者你正在运行的任何类型/版本.
FWIW,修改扫描程序步骤深埋在OpenVAS文档中,如果您在此处搜索"更新扫描程序证书":http://www.openvas.org/src-doc/openvas-manager/index.html
希望这有助于某人!