Bug #22402
closedA 6.2 relay cannot talk to a 7.2 server through HTTPS
Description
Problem¶
Server 7.2, Relay 6.2, Agent 6.2 (so 7.2 policies everywhere)
Agents can send their inventory, but the inventory is stopped on the relay, with relayd logging:
ERROR relayd::processing::inventory: output error: HTTP error: https://server/inventories/mynode-myid.ocs.gz: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1916: (self signed certificate) INFO relayd::processing::inventory: transient error, skipping
This can be easily reproduced with latest patch versions on CentOS8.
Cause¶
relayd
’s configuration contains:
[general] # Use cert pinning peer_authentication = "cert_pinning"
But the 6.2 relayd
does not understand this parameter. It also does not have this parameter (which is part of the 6.2 policies) :
[upstream.output] verify_certificates = false # or true in case the certificate verification option is enabled.
Which means the default value is used, which is true
. That means that the 6.2 relayd
considers we are in a “normal” CA-based certificate setup, with verification enabled. It hence requires a valid certificate for the system CA, which cannot happen on a 7.2 server (as we enforce usage of the Rudder certificate).
Solution¶
We need to allow the 6.2 relayd to skip certificate verification, while not disabling it on 7.2 relays.
We can use CFEngine version conditions to set the right value on 6.2 relays:
"rudder_relayd_disable_cert_pinning" expression => "cfengine_3_15", scope => "namespace";
In the relayd system technique.