Well i am not 100% sure, but i think that in OpenVAS 9 (maybe 8 too) the certificates are in the tasks.db as well. (mentioned in the mailing list...) When i faced the same problem (not trusted, no known issuer), i removed the CA, /var/lib/openvas/private/gnupg and the tasks.db. But you should have a backup. If you have a clean OpenVAS there is nothing important, right? Then you have to create the certificates once more.
If you have synced the NVTs, the SCAP-data and the CERT-data, start openvassd. The scanner will need some time to load all the NVTs into its cache. After that, when the scanner is running, you can start "openvasmd --rebuild --progress" and it should create a new tasks.db and hopefully it will rebuild. If that won’t help, you should try centos7 and OpenVAS8 from the atomicorp repo or ubuntu 14.04 and the ppa from mrazavi. This installations also provides startup scripts. > Am 29.01.2016 um 22:16 schrieb Albrecht Dreß <[email protected]>: > > Hi René: > > Am 29.01.16 19:55 schrieb(en) Rene Behring: >> do you also renew the certificates? >> I thinks it was >> openvas-mkcert >> and >> openvas-mkcert-client -n -i > > No.... I now > > - killed the running openvassd > - erased /opt/openvas/var/lib/openvas/CA/* and > /opt/openvas/var/lib/openvas/private/CA/* > - ran openvas-mkcert with default values > - ran openvas-mkcert-client -n -i > - re-started openvassd; netstat says it listens at 0.0.0.0:9391 > - running openvas-check-setup says > ERROR: The number of NVTs in the OpenVAS Manager database is too low. > FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection > and run 'openvasmd --rebuild'. > - running 'openvasmd -v --rebuild' produces the same error messages as before: > md main: INFO:2016-01-29 20h30.21 utc:7042: OpenVAS Manager version > 6.0.7 (DB revision 146) > md main: INFO:2016-01-29 20h30.21 utc:7042: rebuild_nvt_cache_retry: > Reloading NVT cache > md main: INFO:2016-01-29 20h30.21 utc:7043: update_or_rebuild_nvt_cache: > Rebuilding NVT cache > md main:MESSAGE:2016-01-29 20h30.21 utc:7043: No SCAP database found > md main:MESSAGE:2016-01-29 20h30.21 utc:7043: No CERT database found > md main: INFO:2016-01-29 20h30.21 utc:7043: Updating NVT cache. > lib serv:WARNING:2016-01-29 20h30.21 utc:7043: Failed to shake hands with > peer: Error in the push function. > lib serv:WARNING:2016-01-29 20h30.21 utc:7043: Failed to shutdown server > socket > > BTW, I created the original certs only yesterday, also with the default > lifetimes (1 and 3 years, respectively), and the box is running ntpd, so I > *really* believe they were not expired. And the new ones are *not*... > > I now tried to connect openvassd by just running > > <snip> > openssl s_client -connect localhost:9391 -cert > /opt/openvas/var/lib/openvas/CA/clientcert.pem \ > -CAfile /opt/openvas/var/lib/openvas/CA/cacert.pem \ > -key /opt/openvas/var/lib/openvas/private/CA/clientkey.pem > </snip> > > which *did* work just fine, i.e. the connection was established. Typing in > some crap in openssl, openvassd apparently shuts down the connection. Thus, > that part looks good afaict. > > I then killed openvassd again, and ran openssl as server for openvasmd: > > <snip> > openssl s_server -accept 9391 -cert > /opt/openvas/var/lib/openvas/CA/servercert.pem \ > -CAfile /opt/openvas/var/lib/openvas/CA/cacert.pem \ > -key /opt/openvas/var/lib/openvas/private/CA/serverkey.pem -dhparam > dh1024.pem -state -msg -debug > </snip> > > (I added a 1024 bit dh file, as otherwise openvasmd complains about the too > short dh parameter.) Now the openvasmd log says > > <snip> > lib serv:WARNING:2016-01-29 21h02.17 utc:7415: openvas_server_verify: the > certificate is not trusted > lib serv:WARNING:2016-01-29 21h02.17 utc:7415: openvas_server_verify: the > certificate hasn't got a known issuer > </snip> > > which IMO is strange as I used the same certs openvassd presented to openssl. > > Any idea what I could test more, or what could resolve the issue? > > Thanks, > Albrecht. _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
