Bug #13766
closed
5.0 agent on ubuntu 18 not able to connect to 4.3 master
Description
Hi,
looks like this:
@root@ubuntu18-0--service-7:~# rudder agent updateerror: Failed to establish TLS connection: (-1 SSL_ERROR_SSL) illegal zero content
error: No suitable server found
error: Failed to establish TLS connection: (-1 SSL_ERROR_SSL) illegal zero content
error: No suitable server found
R: *************************************************************************
- rudder-agent could not get an updated configuration from the policy server. *
- This can be caused by: *
- * an agent key that has been changed *
- * if this node is not accepted or deleted node on the Rudder root server *
- * if this node has changed policy server without sending a new inventory *
- Any existing configuration policy will continue to be applied without change. *
*************************************************************************
error: Rudder agent promises could not be updated.@
root@ubuntu18-0--service-7:~# cat /etc/issue
Ubuntu 18.04.1 LTS \n \l
did a rudder agent reinit prior to the above.
Inventory upload works fine.
rsyslog config seems to be missing
root@ubuntu18-0--service-7:~# cat /etc/rsyslog.d/
20-ufw.conf 21-cloudinit.conf 50-default.conf
root@ubuntu18-0--service-7:~# grep -R rudder /etc/rsyslog.*
root@ubuntu18-0--service-7:~#
I can see the following happens in rudder server debug:
@rudder verbose: === END summary of access promises ===
rudder verbose: Setting minimum acceptable TLS version: 1.0
rudder verbose: Setting cipher list for incoming TLS connections to: AES256-GCM-SHA384:AES256-SHA
rudder verbose: Listening for connections on socket descriptor 6 ...
notice: Server is starting...
rudder verbose: Obtained IP address of 'zz' on socket 7 from accept
rudder verbose: New connection (from zz, sd 7), spawning new thread...
rudder info: zz> Accepting connection
rudder verbose: zz> Setting socket timeout to 600 seconds.
rudder verbose: zz> Peeked nothing important in TCP stream, considering the protocol as TLS
error: zz> Failed to accept TLS connection: (0 SSL_ERROR_SSL) sslv3 alert bad certificate
rudder verbose: Obtained IP address of 'zz' on socket 7 from accept
rudder verbose: New connection (from zz, sd 7), spawning new thread...
rudder info: zz> Accepting connection
rudder verbose: zz> Setting socket timeout to 600 seconds.
rudder verbose: zz> Peeked nothing important in TCP stream, considering the protocol as TLS
error: zz> Failed to accept TLS connection: (0 SSL_ERROR_SSL) sslv3 alert bad certificate@
Could you please let me know if you tested that combination before I start searching deeper?
Otherwise it seems absolutely futile to test further at this point.
Also, why still TLS1.0? I thought you said 2 years ago you were gonna go to 1.2 or whatever the maximum supported by CFEngine was?
Updated by Alexis Mousset over 5 years ago
- Target version set to 5.0.2
Was the Rudder 5.0 a new install or a node upgraded from 4.3?
One of the big difference between the node and the server is the version of openssl linked to CFEngine, in 5.0 it should be 1.1 (and 1.0 in 4.3) on ubuntu 18. The error message looks like https://github.com/openssl/openssl/issues/7134 or https://monitoring-portal.org/woltlab/index.php?thread/41664-ca-crt-verification-error-with-openssl-1-1-0-illegal-zero-content-in-field-seria/, what are the openssl versions used one the node and server?
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 5.0.2 to 5.0.3
Updated by Nicolas CHARLES over 5 years ago
- Related to Bug #13690: Impossible to update promises when using a debian9 or Ubuntu 18 server and older distributions as Nodes (incompatible openssl version) added
Updated by François ARMAND over 5 years ago
So it's definitly the same as #13690. The problem seems to be that there's a problem with openssl 1.1 being more strict than openssl 1.0 on certificat format. So the one presented by agent using openssl 1.0 (ex: centos 6, ubuntu 18.04 with rudder 4.3) is not seen as valid by a server using openss 1.1 (ex: debian 9, ubuntu 18.04 with rudder 5.0). We are not the only one having that problem, and we are trying to see how to solve it without breaking migration path for rudder 4.3 -> rudder 5.0
Updated by Alexis Mousset over 5 years ago
Seems fixed in openssl 1.1.1 (https://github.com/openssl/openssl/commit/ca89174bc92c16f0a2a7eb86359b6c6fd1dd7a4d), so should only happen with 1.1.0.
Updated by François ARMAND over 5 years ago
Short term solution: build cfengine with the openssl 1.0 available on debian 9/ubuntu 18.04. For SLES 15, embed lib openssl 1.0.
Updated by Alexis Mousset over 5 years ago
- Related to deleted (Bug #13690: Impossible to update promises when using a debian9 or Ubuntu 18 server and older distributions as Nodes (incompatible openssl version))
Updated by Alexis Mousset over 5 years ago
- Related to Bug #13690: Impossible to update promises when using a debian9 or Ubuntu 18 server and older distributions as Nodes (incompatible openssl version) added
Updated by Alexis Mousset over 5 years ago
- Related to deleted (Bug #13690: Impossible to update promises when using a debian9 or Ubuntu 18 server and older distributions as Nodes (incompatible openssl version))
Updated by Alexis Mousset over 5 years ago
- Is duplicate of Bug #13690: Impossible to update promises when using a debian9 or Ubuntu 18 server and older distributions as Nodes (incompatible openssl version) added
Updated by Alexis Mousset over 5 years ago
- Status changed from New to Rejected
Closing as duplicate of #13690.