Project

General

Profile

Actions

Bug #24815

closed

Node with inventories with bad certificate still get into Rudder

Added by François ARMAND 7 months ago. Updated 6 months ago.

Status:
Released
Priority:
N/A
Category:
Web - Nodes & inventories
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

With our RTF plateform, we sometime gets node with inventory whose certificate is:

-----BEGIN RSA PUBLIC KEY-----
not initialized
-----END RSA PUBLIC KEY-----'

I correctly have a /var/rudder/inventories/failed/12fabbe9-fe1d-4663-8194-d7272dc3c4c6_2024-04-30T21\:30\:47+00\:00.ocs.reject-2024-04-30T21\:31\:05Z.log which says that the node inventory is refused:

2024-04-30T21:31:05Z
Inventory '12fabbe9-fe1d-4663-8194-d7272dc3c4c6_2024-04-30T21:30:47+00:00.ocs' for Node 'unknown' failed to be saved in Rudder. Cause was: Error when trying to process inventory '12fabbe9-fe1d-4663-8194-d7272dc3c4c6_2024-04-30T21:30:47+00:00.ocs'
cause was: CryptoEx: Key '-----BEGIN RSA PUBLIC KEY-----
not initialized
-----END RSA PUBLIC KEY-----' cannot be parsed as a public key; root exception was: unable to decode base64 string: String index out of range: 15

But still: the node is accepted into rudder, and the key "not initialized" is certified.

Logs for that node show:

2024-04-30 21:30:44+0000 INFO  inventory-processing - Received new inventory file '12fabbe9-fe1d-4663-8194-d7272dc3c4c6_2024-04-30T21:30:36+00:00.ocs' with signature available: process.
2024-04-30 21:30:44+0000 INFO  nodes - New pending node: 'node1.rudder.local' [12fabbe9-fe1d-4663-8194-d7272dc3c4c6]'
2024-04-30 21:30:44+0000 INFO  inventory-processing - Inventory '12fabbe9-fe1d-4663-8194-d7272dc3c4c6_2024-04-30T21:30:36+00:00.ocs' for node 'node1.rudder.local' [12fabbe9-fe1d-4663-8194-d7272dc3c4c6] (signature:certified) processed in 200 milliseconds
2024-04-30 21:31:05+0000 INFO  inventory-processing - Received new inventory file '12fabbe9-fe1d-4663-8194-d7272dc3c4c6_2024-04-30T21:30:47+00:00.ocs' with signature available: process.
2024-04-30 21:31:05+0000 ERROR inventory-processing - Error when trying to process inventory '12fabbe9-fe1d-4663-8194-d7272dc3c4c6_2024-04-30T21:30:47+00:00.ocs'; cause was: CryptoEx: Key '-----BEGIN RSA PUBLIC KEY-----
2024-04-30 21:31:05+0000 ERROR inventory-processing - Inventory '12fabbe9-fe1d-4663-8194-d7272dc3c4c6_2024-04-30T21:30:47+00:00.ocs' for Node 'unknown' failed to be saved in Rudder. Cause was: Error when trying to process inventory '12fabbe9-fe1d-4663-8194-d7272dc3c4c6_2024-04-30T21:30:47+00:00.ocs'; cause was: CryptoEx: Key '-----BEGIN RSA PUBLIC KEY-----
2024-04-30 21:31:11+0000 INFO  nodes - New accepted node: 'node1.rudder.local' [12fabbe9-fe1d-4663-8194-d7272dc3c4c6]'
2024-04-30 21:31:12+0000 INFO  nodes - Update in node '12fabbe9-fe1d-4663-8194-d7272dc3c4c6' inventories main information detected: triggering dynamic group update and a policy generation
2024-04-30 21:31:12+0000 INFO  dynamic-group - Dynamic group all-nodes-with-cfengine-agent: added node with id: [ 12fabbe9-fe1d-4663-8194-d7272dc3c4c6 ], removed: nothing
2024-04-30 21:31:12+0000 INFO  dynamic-group - Dynamic group hasPolicyServer-root: added node with id: [ 12fabbe9-fe1d-4663-8194-d7272dc3c4c6 ], removed: nothing
2024-04-30 21:31:12+0000 WARN  explain_compliance.12fabbe9-fe1d-4663-8194-d7272dc3c4c6 - Can not get compliance for node with ID '12fabbe9-fe1d-4663-8194-d7272dc3c4c6' because it has no configuration id initialised nor sent reports (node just added ?)
2024-04-30 21:31:12+0000 ERROR policy.generation - Error when trying to get the CFEngine-MD5 digest of CFEngine public key for node 'node1.rudder.local' (12fabbe9-fe1d-4663-8194-d7272dc3c4c6) <- An error occurred. Cause was: DecoderException: unable to decode base64 string: String index out of range: 15

So Rudder sees that the node should be refused, and still accept it.

It seems to happen only in Rudder 8.1.


Related issues 1 (1 open0 closed)

Related to Rudder - Bug #25563: We can't disable a node with a bad certificate anymoreNewActions
Actions

Also available in: Atom PDF