epoptes-client failed to fetch certificate

First, try with epoptes-client -c <ip of lubuntu-portable>
If that doesn't work, go in lubuntu-portable, and run:
service epoptes restart
And paste any error messages here.

Thanks for your reply.
I get the same error on the client :
# epoptes-client -c 192.168.1.33
connect: Connection timed out
connect:errn0=110
epoptes-client ERROR: Failed to fetch certificate from 192.168.1.33:789

On the "server":
# service epoptes restart
 * Stopping the epoptes daemon [ OK ]
 * Starting the epoptes daemon [ OK ]

Olivier

On the server, verify that epoptes is listening on port 789:
$ sudo netstat -nap | grep :789
tcp 0 0 0.0.0.0:789 0.0.0.0:* LISTEN 2447/python

If it is, then check for firewall issues.
Can you ping the server from the client?

Here are the results :
$ sudo netstat -nap | grep :789
tcp 0 0 0.0.0.0:789 0.0.0.0:* LISTEN 5807/python
tcp 0 0 192.168.1.33:789 192.168.1.34:38975 ESTABLISHED 5807/python
tcp 0 0 192.168.1.33:789 192.168.1.34:38974 ESTABLISHED 5807/python
tcp 0 0 192.168.1.33:789 192.168.1.34:38973 ESTABLISHED 5807/python

$ sudo ufw disable
Le pare-feu est arrêté et désactivé lors du démarrage du système
(More or less : The firewall is stopped and desactivated when system starts)

On the client
$ ping lubuntu-portable.local
works

Olivier

Run the following commands, and paste their output here:

Server:
ls -lha /etc/epoptes
openssl s_client -connect localhost:789 < /dev/null | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/!d'

Client:
openssl s_client -connect <ip of server>:789 < /dev/null | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/!d'

Server :

olivier@lubuntu-portable:~$ ls -lha /etc/epoptes
total 24K
drwxr-xr-x 2 root root 4,0K juil. 2 15:04 .
drwxr-xr-x 146 root root 12K juil. 3 09:31 ..
-rw-r--r-- 1 root root 875 juil. 2 15:04 server.crt
-rw------- 1 root root 916 juil. 2 15:04 server.key
olivier@lubuntu-portable:~$ openssl s_client -connect localhost:789 < /dev/null | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/!d'
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
DONE
-----BEGIN CERTIFICATE-----
MIICWDCCAcGgAwIBAgIJANn9qJVA+7TcMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTIwNzAyMTMwNDQzWhcNMjIwNzAyMTMwNDQzWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDDIfoTFH0OExu1W07Jkmpbz/FeN0krowM0Z1yALpUS4WXQHPKPj6mybfiZecQI
UKoc/EVA6Mk0BdGgT3v4qDWxH0aznlW+kPj7+wctpjtAwq33eu4vaNhHDzr45IAD
fGetbVKDmrCKO1A902Lo+zuK9O4oSiQNwEEIrszEaLQNoQIDAQABo1AwTjAdBgNV
HQ4EFgQU5+PIhMDAMQXUsZ0KsIvD4PQYX7wwHwYDVR0jBBgwFoAU5+PIhMDAMQXU
sZ0KsIvD4PQYX7wwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCXDdZH
onKstYUmxEVb4yJjRad93mxiF5ZQeacAmB6a9GG9zPXq+v4hSi7J2wSMXu2odoRS
h/FWjJ5ZF41p/ZlH6cdu/+f5wKz87T3egEJXR6mn6erL+ZGGyHVjNctd1tuXjC3h
qo9LzT6M47FdMiWEgHKB0uFvRm/Sx9ChX61PhA==
-----END CERTIFICATE-----

Client :

olivier@maths-5:~$ openssl s_client -connect 192.168.1.33:789 < /dev/null | sed '/-----BEGIN
CERTIFICATE-----/,/-----END CERTIFICATE-----/!d'
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
-----BEGIN CERTIFICATE-----
MIICWDCCAcGgAwIBAgIJANn9qJVA+7TcMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTIwNzAyMTMwNDQzWhcNMjIwNzAyMTMwNDQzWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDDIfoTFH0OExu1W07Jkmpbz/FeN0krowM0Z1yALpUS4WXQHPKPj6mybfiZecQI
UKoc/EVA6Mk0BdGgT3v4qDWxH0aznlW+kPj7+wctpjtAwq33eu4vaNhHDzr45IAD
fGetbVKDmrCKO1A902Lo+zuK9O4oSiQNwEEIrszEaLQNoQIDAQABo1AwTjAdBgNV
HQ4EFgQU5+PIhMDAMQXUsZ0KsIvD4PQYX7wwHwYDVR0jBBgwFoAU5+PIhMDAMQXU
sZ0KsIvD4PQYX7wwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCXDdZH
onKstYUmxEVb4yJjRad93mxiF5ZQeacAmB6a9GG9zPXq+v4hSi7J2wSMXu2odoRS
h/FWjJ5ZF41p/ZlH6cdu/+f5wKz87T3egEJXR6mn6erL+ZGGyHVjNctd1tuXjC3h
qo9LzT6M47FdMiWEgHKB0uFvRm/Sx9ChX61PhA==
-----END CERTIFICATE-----
DONE

It works now.
I have run the previous commands whitout understanding. Did they solve the problem ?
Anyway, thank you very much for your help.
--
Olivier

No, the previous commands were just diagnostic, they didn't modify your installation at all. They're essentially what `epoptes-client -c` does, but without the "saving the server certificate to /etc/epoptes/server.crt in the client" part.
It probably was a networking problem, but I don't know what, since you said that your firewall was off.
If it's working now it means that `epoptes-client -c server` at some point succeeded in contacting your server.

Thank you for the explanation.
I was just testing but the idea is to make it work for a classroom. If the same problem appears, can I solve it by copying the server.crt from the server to each client ?

You can copy the certificate with scp or any other method you like, instead of using `epoptes-client -c`.
But the same 789 port is used for the client <=> server communication, so if the networking problem appears again, the clients won't be able to connect to the server even if they have the certificate.

If that happens again, try the client openssl command above. If that works, `epoptes-client -c server` should work too, otherwise it's an epoptes bug (but I don't think that's likely). If that doesn't work, it's a networking issue. Check again the firewall, your iptables etc.

Many thanks for all.
Olivier

Hello.
I have similar problem.
Client and server are both on Kubuntu in local network.
On client:
sudo epoptes-client -c
connect: Connection timed out
connect:errno=110
epoptes-client ERROR: Failed to fetch certificate from server:789
- the same with sudo epoptes-client -c 192.168.1.4

I did:
sudo service epoptes restart
sudo ufw disable
on both

On server:

sudo netstat -nap | grep :789
[sudo] password for norbert:
tcp 0 0 0.0.0.0:789 0.0.0.0:* LISTEN 2942/python
tcp 0 1 192.168.1.4:55060 192.168.1.3:789 SYN_SENT 2678/socat

ls -lha /etc/epoptes
razem 24K
drwxr-xr-x 2 root root 4,0K lis 29 19:16 .
drwxr-xr-x 149 root root 12K gru 5 13:08 ..
-rw-r--r-- 1 root root 875 lis 29 23:07 server.crt
-rw------- 1 root root 916 lis 29 23:07 server.key

openssl s_client -connect localhost:789 < /dev/null | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/!d'
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
DONE
-----BEGIN CERTIFICATE-----
MIICWDCCAcGgAwIBAgIJALtNkjAxQnKTMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
[...]
sTbhgcefw95mRdcwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCYpgIR
gSxUqHOagjnfOK5WEqll90WpTEqqKzHJyrijUTGUs2Nc+9cXlpqUb9EALLRoWI5x
A/Aine6fvLeqN5e4MXa7YcbO0HKOPM5mYR0R3bXpYTYv0UpZH/8PSkAZ1T2MlyvF
vXSCal8zeFhZ52JwEkmOiilmh3RnGAnQ0plK4g==
-----END CERTIFICATE-----

On client:
ping to server works
openssl s_client -connect 192.168.1.4:789 < /dev/null | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/!d'
connect: Connection timed out
connect:errno=110

How can I get connection?

I think it's a firewall issue, even if it isn't UFW.
You could come to IRC for live help (find it in the epoptes help menu).

Some things to try:
 * From the client: socat - ssl:192.168.1.4:789,verify=0
 * Manually copy /etc/epoptes/server.crt to the client.
 * Try to contact some other server port, e.g. ssh or whatever other service you have installed.

Thanks.
I'm closer.
Actually it was firewall issue, I solve it with firestarter. It was on list of blocked connections.
Now on client:

sudo epoptes-client -c
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
DONE
Successfully fetched certificate from server:789

openssl s_client -connect 192.168.1.4:789 < /dev/null | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/!d'
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
-----BEGIN CERTIFICATE-----
MIICWDCCAcGgAwIBAgIJALtNkjAxQnKTMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
[...]
vXSCal8zeFhZ52JwEkmOiilmh3RnGAnQ0plK4g==
-----END CERTIFICATE-----
DONE

On server:
sudo netstat -nap | grep :789
[sudo] password for norbert:
tcp 0 0 0.0.0.0:789 0.0.0.0:* LISTEN 6114/python

ls -lha /etc/epoptes
razem 24K
drwxr-xr-x 2 root root 4,0K lis 29 19:16 .
drwxr-xr-x 149 root root 12K gru 6 10:29 ..
-rw-r--r-- 1 root root 875 lis 29 23:07 server.crt
-rw------- 1 root root 916 lis 29 23:07 server.key

openssl s_client -connect localhost:789 < /dev/null | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/!d'
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
DONE
-----BEGIN CERTIFICATE-----
MIICWDCCAcGgAwIBAgIJALtNkjAxQnKTMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
[...]
gSxUqHOagjnfOK5WEqll90WpTEqqKzHJyrijUTGUs2Nc+9cXlpqUb9EALLRoWI5x
A/Aine6fvLeqN5e4MXa7YcbO0HKOPM5mYR0R3bXpYTYv0UpZH/8PSkAZ1T2MlyvF
vXSCal8zeFhZ52JwEkmOiilmh3RnGAnQ0plK4g==
-----END CERTIFICATE-----

On both:
sudo service epoptes restart

But when I run on server:
epoptes
Got clients: None

It doesn't see client.

OK
sudo service epoptes restart was not enough in my case - full reboot was needed on both machines.

And now my purpose is to have one client on computer outside local network, which could be monitored by some of two servers [in my local network, at the moment they work as a server nad client], depends on situation.
At the beggining I'd like to make reversed connection in local network. Client should become server, and server - client.
Is that possible?
I got:
sudo epoptes-client -c
140283224655520:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
epoptes-client ERROR: Failed to fetch certificate from 192.168.1.3:789

Hi Norbert,

epoptes-client can only connect to a single server, it can't be monitored from 2 servers simultaneously.

For the remote <=> local network issue, please open another question, and make sure that you have port forwarding in your router set up correctly for port 789.

i have some problem, but i use pinet
can you help me mr.alkisg