Project

General

Profile

Actions

Bug #23635

closed

Agent Pre-established trust not working with Rudder 8.0 agent RHEL 7 on CentOS 7

Added by Michel BOUISSOU about 1 year ago. Updated about 1 year ago.

Status:
Released
Priority:
N/A
Category:
Agent
Target version:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Getting started - demo | first install | Technique editor and level 1 Techniques
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

Trying to establish pre-trust between a Rudder 8.0 server on RHEL 8 and a Rudder 8.0 agent for RHEL 7 on CentOS 7 doesn't work.

Server Rudder 8.0, Alma 8:

# rudder agent info

Key/Certificate
           Key hash: MD5=1ab3d58f439c2c15f8334f2a22ae30c2
           Key hash: sha256//+FBk7T9iR8YlBGw5hg99FMuow5cdLBTh5t+pdl9+CC4=
  Cert. fingerprint: BE:2D:47:D9:2A:1B:45:29:3D:A9:2C:E8:68:88:F2:E1:25:65:D4:35
        Key pinning: full

Agent Rudder 8.0, Alma 8:

# rudder agent policy-server -t sha256//+FBk7T9iR8YlBGw5hg99FMuow5cdLBTh5t+pdl9+CC4= 192.168.61.7
writing RSA key

Agent Rudder 8.0, CentOS 7:

# rudder agent policy-server -t sha256//+FBk7T9iR8YlBGw5hg99FMuow5cdLBTh5t+pdl9+CC4= 192.168.61.7
unable to load certificate
139852637140880:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
unable to load certificate
140569274202000:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
unable to load Public Key
error: Provided key sha256//+FBk7T9iR8YlBGw5hg99FMuow5cdLBTh5t+pdl9+CC4= doesn't match server key sha256//47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #24019: Embed openssl cli on 7.3ReleasedBenoît PECCATTEActions
Actions #1

Updated by Alexis Mousset about 1 year ago

  • Description updated (diff)
Actions #2

Updated by Alexis Mousset about 1 year ago

sha256//47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= is the hash of an empty string. Something is likely broken in the certificate extraction.

Actions #3

Updated by Alexis Mousset about 1 year ago

The root cause is that we only embed the openssl lib but not the binary. The system openssl binary is not compatible with our model, and fail to fetch the certificate.

Actions #4

Updated by Benoît PECCATTE about 1 year ago

  • Status changed from New to In progress
  • Assignee set to Benoît PECCATTE
Actions #5

Updated by Benoît PECCATTE about 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Benoît PECCATTE to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/2832
Actions #6

Updated by Benoît PECCATTE about 1 year ago

  • Status changed from Pending technical review to Pending release
Actions #7

Updated by Alexis Mousset about 1 year ago

  • Fix check changed from To do to Checked
Actions #8

Updated by Vincent MEMBRÉ about 1 year ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 8.0.1 which was released today.

Actions #9

Updated by Alexis Mousset 11 months ago

  • Related to Bug #24019: Embed openssl cli on 7.3 added
Actions

Also available in: Atom PDF