So my certificates expired on my Open VAS installation. Because of that, I'm getting the following error when trying to run a scan.
Operation: Start Task Status code: 503 Status message: Service temporarily down
I've tried recreating the certificates:
me@ovas:~$ sudo /usr/sbin/openvas-mkcert -q -f
[sudo] password for me:
me@ovas:~$ sudo /usr/bin/openvas-mkcert-client -n -i
Generating RSA private key, 4096 bit long modulus
........................++
..................................................................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Using configuration from /tmp/openvas-mkcert-client.28853/stdC.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
localityName :ASN.1 12:'Berlin'
commonName :ASN.1 12:'om'
Certificate is to be certified until Dec 5 12:38:09 2017 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
me@ovas:~$
And then rebooted ...
Then one for the web interface is switched out correctly, but it seems the scanner one isn't ?
This is in the logs:
lib serv:WARNING:2016-12-05 12h41.23 UTC:1533: Failed to shake hands with peer: The TLS connection was non-properly terminated. event task:MESSAGE:2016-12-05 12h41.23 UTC:1533: Task Scan of target.me (3aca3163-3de2-4519-92af-f649f6bedd7c) could not be started by admin
Check Open VAS Script output:
openvas-check-setup 2.3.7
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--v9'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.7.
OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
OK: redis-server is present in version v=3.0.6.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /var/run/redis/redis.sock
OK: redis-server is running and listening on socket: /var/run/redis/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /var/lib/openvas/plugins contains 50525 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
OK: The NVT cache in /var/cache/openvas contains 50548 files for 50525 NVTs.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 49328 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 6.0.11.
Step 5: Checking OpenVAS CLI ...
OK: OpenVAS CLI version 1.4.4.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
OK: OpenVAS Manager is running and listening on all interfaces.
OK: OpenVAS Manager is listening on port 9390, which is the default port.
OK: Greenbone Security Assistant is running and listening on all interfaces.
OK: Greenbone Security Assistant is listening on port 443, which is the default port.
Step 8: Checking nmap installation ...
WARNING: Your version of nmap is not fully supported: 7.01
SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
SUGGEST: Install required LaTeX packages.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
It seems like your OpenVAS-8 installation is OK.
If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
This answer is probably a bit late for the OP, but in case future Googlers end up here, this is what worked for me:
I also came to the conclusion that expired certs were the issue when my OpenVAS scans suddenly stopped running. Using the openvas-check-setup command told me everything was fine, but when I tried manually running scans I'd get the same 503 service unavailable message. Looking at the logs (location for me: /var/log/openvas/openvasmd.log) gave a me a few clues to follow, including:
WARNING:2017-05-16 19h04.51 UTC:3687: Failed to gnutls_bye: Error in the push function. WARNING:2017-05-16 19h04.52 UTC:3686: openvas_server_verify: the certificate is not trusted WARNING:2017-05-16 19h04.52 UTC:3686: openvas_server_verify: the certificate has expired
I started with troubleshooting the gnutls_bye message, since the word Error tends to capture more attention than Warning, but in the end certificates were the issue.
I used a variation of the OP's mkcert commands to produce the new certificates, but the step that I believe s/he was missing was to update the scanner configuration with these new certs.
So I navigated a bit closer to the cert file location (cd /var/lib/openvas/) and ran the following command:
openvasmd --modify-scanner <UUID> --scanner-ca-pub CA/cacert.pem --scanner-key-pub CA/clientcert.pem --scanner-key-priv private/CA/clientkey.pem
You'll need to replace with the actual UUID of the scanner you are modifying. To get the list of scanners:
openvasmd --get-scanners
And as a final check, you can use the verify command:
openvasmd --verify-scanner <UUID>
While it was broken, I got the very unhelpful response of
Failed to verify scanner.
But once you've got the certs successfully updated and associated with your scanner (and you might need to restart related services for good measure, or just go the lazy/nuclear route like I did and reboot the server), the verify command should return something along the lines of
Scanner version: OTP/2.0.
or whatever type/version you're running.
FWIW, the modify-scanner step is buried deep within the OpenVAS documentation, if you search for "Updating Scanner Certificates" here: http://www.openvas.org/src-doc/openvas-manager/index.html
Hope this helps someone!