Project

General

Profile

Actions

Bug #22402

closed

A 6.2 relay cannot talk to a 7.2 server through HTTPS

Added by Alexis Mousset over 1 year ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Category:
System techniques
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

Problem

Server 7.2, Relay 6.2, Agent 6.2 (so 7.2 policies everywhere)

Agents can send their inventory, but the inventory is stopped on the relay, with relayd logging:

ERROR relayd::processing::inventory: output error: HTTP error: https://server/inventories/mynode-myid.ocs.gz: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1916: (self signed certificate)
INFO relayd::processing::inventory: transient error, skipping

This can be easily reproduced with latest patch versions on CentOS8.

Cause

relayd’s configuration contains:

[general]
# Use cert pinning
peer_authentication = "cert_pinning" 

But the 6.2 relayd does not understand this parameter. It also does not have this parameter (which is part of the 6.2 policies) :

[upstream.output]
verify_certificates = false
# or true in case the certificate verification option is enabled.

Which means the default value is used, which is true. That means that the 6.2 relayd considers we are in a “normal” CA-based certificate setup, with verification enabled. It hence requires a valid certificate for the system CA, which cannot happen on a 7.2 server (as we enforce usage of the Rudder certificate).

Solution

We need to allow the 6.2 relayd to skip certificate verification, while not disabling it on 7.2 relays.

We can use CFEngine version conditions to set the right value on 6.2 relays:

      "rudder_relayd_disable_cert_pinning" expression => "cfengine_3_15",
                                                scope => "namespace";

In the relayd system technique.

Actions #1

Updated by Alexis Mousset over 1 year ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #2

Updated by Alexis Mousset over 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1808
Actions #3

Updated by Alexis Mousset over 1 year ago

  • Description updated (diff)
Actions #4

Updated by Alexis Mousset over 1 year ago

  • Description updated (diff)
Actions #5

Updated by Alexis Mousset over 1 year ago

  • Status changed from Pending technical review to Pending release
Actions #6

Updated by Alexis Mousset over 1 year ago

  • Fix check changed from To do to Checked
Actions #7

Updated by Vincent MEMBRÉ over 1 year ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.2.5 which was released today.

Actions

Also available in: Atom PDF