Project

General

Profile

Actions
Copy link

Bug #23635

closed

Agent Pre-established trust not working with Rudder 8.0 agent RHEL 7 on CentOS 7

Added by Michel BOUISSOU 7 months ago. Updated 7 months ago.

Status:
Released
Priority:
N/A
Assignee:
Alexis Mousset
Category:
Agent
Target version:
8.0.1
Pull Request:
https://github.com/Normation/rudder-p...
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Getting started - demo | first install | Technique editor and level 1 Techniques
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

Trying to establish pre-trust between a Rudder 8.0 server on RHEL 8 and a Rudder 8.0 agent for RHEL 7 on CentOS 7 doesn't work.

Server Rudder 8.0, Alma 8:

# rudder agent info

Key/Certificate
           Key hash: MD5=1ab3d58f439c2c15f8334f2a22ae30c2
           Key hash: sha256//+FBk7T9iR8YlBGw5hg99FMuow5cdLBTh5t+pdl9+CC4=
  Cert. fingerprint: BE:2D:47:D9:2A:1B:45:29:3D:A9:2C:E8:68:88:F2:E1:25:65:D4:35
        Key pinning: full

Agent Rudder 8.0, Alma 8:

# rudder agent policy-server -t sha256//+FBk7T9iR8YlBGw5hg99FMuow5cdLBTh5t+pdl9+CC4= 192.168.61.7
writing RSA key

Agent Rudder 8.0, CentOS 7:

# rudder agent policy-server -t sha256//+FBk7T9iR8YlBGw5hg99FMuow5cdLBTh5t+pdl9+CC4= 192.168.61.7
unable to load certificate
139852637140880:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
unable to load certificate
140569274202000:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
unable to load Public Key
error: Provided key sha256//+FBk7T9iR8YlBGw5hg99FMuow5cdLBTh5t+pdl9+CC4= doesn't match server key sha256//47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #24019: Embed openssl cli on 7.3ReleasedBenoît PECCATTEActions
Actions
Copy link
 #1

Updated by Alexis Mousset 7 months ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Alexis Mousset 7 months ago

sha256//47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= is the hash of an empty string. Something is likely broken in the certificate extraction.

Actions
Copy link
 #3

Updated by Alexis Mousset 7 months ago

The root cause is that we only embed the openssl lib but not the binary. The system openssl binary is not compatible with our model, and fail to fetch the certificate.

Actions
Copy link
 #4

Updated by Benoît PECCATTE 7 months ago

  • Status changed from New to In progress
  • Assignee set to Benoît PECCATTE
Actions
Copy link
 #5

Updated by Benoît PECCATTE 7 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Benoît PECCATTE to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/2832
Actions
Copy link
 #6

Updated by Benoît PECCATTE 7 months ago

  • Status changed from Pending technical review to Pending release
Actions
Copy link
 #7

Updated by Alexis Mousset 7 months ago

  • Fix check changed from To do to Checked
Actions
Copy link
 #8

Updated by Vincent MEMBRÉ 7 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 8.0.1 which was released today.

Actions
Copy link
 #9

Updated by Alexis Mousset 4 months ago

  • Related to Bug #24019: Embed openssl cli on 7.3 added
Actions
Copy link

Also available in: Atom PDF