Project

General

Profile

Bug #13766

5.0 agent on ubuntu 18 not able to connect to 4.3 master

Added by Florian Heigl almost 2 years ago. Updated almost 2 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Agent
Target version:
Pull Request:
Severity:
Major - prevents use of part of Rudder | no simple workaround
User visibility:
First impressions of Rudder
Effort required:
Priority:
100

Description

Hi,

looks like this:

@root@ubuntu18-0--service-7:~# rudder agent update
error: Failed to establish TLS connection: (-1 SSL_ERROR_SSL) illegal zero content
error: No suitable server found
error: Failed to establish TLS connection: (-1 SSL_ERROR_SSL) illegal zero content
error: No suitable server found
R: *************************************************************************
  • rudder-agent could not get an updated configuration from the policy server. *
  • This can be caused by: *
  • * an agent key that has been changed *
  • * if this node is not accepted or deleted node on the Rudder root server *
  • * if this node has changed policy server without sending a new inventory *
  • Any existing configuration policy will continue to be applied without change. * *************************************************************************
    error: Rudder agent promises could not be updated.@

root@ubuntu18-0--service-7:~# cat /etc/issue
Ubuntu 18.04.1 LTS \n \l

did a rudder agent reinit prior to the above.
Inventory upload works fine.

rsyslog config seems to be missing

root@ubuntu18-0--service-7:~# cat /etc/rsyslog.d/
20-ufw.conf 21-cloudinit.conf 50-default.conf
root@ubuntu18-0--service-7:~# grep -R rudder /etc/rsyslog.*
root@ubuntu18-0--service-7:~#

I can see the following happens in rudder server debug:

@rudder verbose: === END summary of access promises ===
rudder verbose: Setting minimum acceptable TLS version: 1.0
rudder verbose: Setting cipher list for incoming TLS connections to: AES256-GCM-SHA384:AES256-SHA
rudder verbose: Listening for connections on socket descriptor 6 ...
notice: Server is starting...

rudder verbose: Obtained IP address of 'zz' on socket 7 from accept
rudder verbose: New connection (from zz, sd 7), spawning new thread...
rudder info: zz> Accepting connection
rudder verbose: zz> Setting socket timeout to 600 seconds.
rudder verbose: zz> Peeked nothing important in TCP stream, considering the protocol as TLS
error: zz> Failed to accept TLS connection: (0 SSL_ERROR_SSL) sslv3 alert bad certificate
rudder verbose: Obtained IP address of 'zz' on socket 7 from accept
rudder verbose: New connection (from zz, sd 7), spawning new thread...
rudder info: zz> Accepting connection
rudder verbose: zz> Setting socket timeout to 600 seconds.
rudder verbose: zz> Peeked nothing important in TCP stream, considering the protocol as TLS
error: zz> Failed to accept TLS connection: (0 SSL_ERROR_SSL) sslv3 alert bad certificate@

Could you please let me know if you tested that combination before I start searching deeper?
Otherwise it seems absolutely futile to test further at this point.

Also, why still TLS1.0? I thought you said 2 years ago you were gonna go to 1.2 or whatever the maximum supported by CFEngine was?


Related issues

Is duplicate of Rudder - Bug #13690: Impossible to update promises when using a debian9 or Ubuntu 18 server and older distributions as Nodes (incompatible openssl version)ReleasedAlexis MOUSSETActions
#1

Updated by Alexis MOUSSET almost 2 years ago

  • Target version set to 5.0.2

Was the Rudder 5.0 a new install or a node upgraded from 4.3?

One of the big difference between the node and the server is the version of openssl linked to CFEngine, in 5.0 it should be 1.1 (and 1.0 in 4.3) on ubuntu 18. The error message looks like https://github.com/openssl/openssl/issues/7134 or https://monitoring-portal.org/woltlab/index.php?thread/41664-ca-crt-verification-error-with-openssl-1-1-0-illegal-zero-content-in-field-seria/, what are the openssl versions used one the node and server?

#2

Updated by Vincent MEMBRÉ almost 2 years ago

  • Target version changed from 5.0.2 to 5.0.3
#3

Updated by Nicolas CHARLES almost 2 years ago

  • Related to Bug #13690: Impossible to update promises when using a debian9 or Ubuntu 18 server and older distributions as Nodes (incompatible openssl version) added
#4

Updated by François ARMAND almost 2 years ago

So it's definitly the same as #13690. The problem seems to be that there's a problem with openssl 1.1 being more strict than openssl 1.0 on certificat format. So the one presented by agent using openssl 1.0 (ex: centos 6, ubuntu 18.04 with rudder 4.3) is not seen as valid by a server using openss 1.1 (ex: debian 9, ubuntu 18.04 with rudder 5.0). We are not the only one having that problem, and we are trying to see how to solve it without breaking migration path for rudder 4.3 -> rudder 5.0

#5

Updated by Alexis MOUSSET almost 2 years ago

Seems fixed in openssl 1.1.1 (https://github.com/openssl/openssl/commit/ca89174bc92c16f0a2a7eb86359b6c6fd1dd7a4d), so should only happen with 1.1.0.

#6

Updated by François ARMAND almost 2 years ago

Short term solution: build cfengine with the openssl 1.0 available on debian 9/ubuntu 18.04. For SLES 15, embed lib openssl 1.0.

#7

Updated by Alexis MOUSSET almost 2 years ago

  • Related to deleted (Bug #13690: Impossible to update promises when using a debian9 or Ubuntu 18 server and older distributions as Nodes (incompatible openssl version))
#8

Updated by Alexis MOUSSET almost 2 years ago

  • Related to Bug #13690: Impossible to update promises when using a debian9 or Ubuntu 18 server and older distributions as Nodes (incompatible openssl version) added
#9

Updated by Alexis MOUSSET almost 2 years ago

  • Related to deleted (Bug #13690: Impossible to update promises when using a debian9 or Ubuntu 18 server and older distributions as Nodes (incompatible openssl version))
#10

Updated by Alexis MOUSSET almost 2 years ago

  • Is duplicate of Bug #13690: Impossible to update promises when using a debian9 or Ubuntu 18 server and older distributions as Nodes (incompatible openssl version) added
#11

Updated by Alexis MOUSSET almost 2 years ago

  • Status changed from New to Rejected

Closing as duplicate of #13690.

Also available in: Atom PDF