Bug #8436
closedGetting server uuid fails on agent with old openssl
Description
_**_On some old OS (for example: SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, PATCHLEVEL = 3, OpenSSL 0.9.8j-fips 07 Jan 2009), when the node try to get the server uuid, we get an error:
curl -L -k -1 -s -f --proxy '' https://xxx.xxx.xxx.xxx/uuid : an error occured, returned 51
The error message means: "The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK."
The same command, without the -1 option (meaning: force use TLS), works on these OS.
[removing non working workaround]
Updated by Alexis Mousset over 8 years ago
- Related to Bug #7109: After an upgrade to 3.1.1-1, the nodes report error on "Could not retrieve the UUID of the policy server" added
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 2.11.22 to 2.11.23
Updated by François ARMAND over 8 years ago
- Description updated (diff)
- Target version deleted (
2.11.23)
So, it is most likelly a problem with curl and / or the local certificate chain on the node.
See for example information on the subject: https://forum.openwrt.org/viewtopic.php?id=58603 , https://www.novell.com/support/kb/doc.php?id=7009789
You can test with:
curl -v https://google.com
=> you should also get the error 51 return.
And the following should work:
mkdir /tmp/certs curl -o /tmp/certs/ca-certificates.crt http://curl.haxx.se/ca/cacert.pem curl --cacert /tmp/certs/ca-certificates.crt -v -L -k -1 -s --proxy '' https://xxx.xxx.xxx.xxx/uuid
In that case, the solution is to update the corrupted ca chain cert on the node.
Updated by François ARMAND over 8 years ago
The problem may also be linked to the version of curl. On SUSE Linux Enterprise Server 11 (x86_64) (PATCHLEVEL = 3), with OpenSSL 0.9.8j-fips :
- curl 7.19.0 (x86_64-suse-linux-gnu) libcurl/7.19.0 OpenSSL/0.9.8h zlib/1.2.3 libidn/1.10 => can get policy server UUID
- curl 7.42.1 (x86_64-unknown-linux-gnu) libcurl/7.42.1 OpenSSL/0.9.8j zlib/1.2.7 => can not get policy server UUID.
Downgrading curl version allows to get the policy server UUID.
Updated by Jonathan CLARKE over 8 years ago
- Assignee set to Alexis Mousset
Alexis, can you please try and reproduce this?
I have a feeling it may be caused by the old partially invalid certs we used to generate before #7800 - maybe try generating an old one?
Updated by Benoît PECCATTE over 7 years ago
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- User visibility set to Operational - other Techniques | Technique editor | Rudder settings
Updated by Jonathan CLARKE over 7 years ago
- Assignee deleted (
Alexis Mousset) - Priority changed from 52 to 51
Updated by Benoît PECCATTE over 7 years ago
- Status changed from New to In progress
- Assignee set to Benoît PECCATTE
Updated by Benoît PECCATTE over 7 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Benoît PECCATTE to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1141
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.20 to 3.1.21
- Priority changed from 51 to 50
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.21 to 3.1.22
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.22 to 3.1.23
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.23 to 3.1.24
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 3.1.24 to 3.1.25
Updated by Alexis Mousset about 7 years ago
- Status changed from Pending technical review to New
- Assignee deleted (
Alexis Mousset)
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 3.1.25 to 387
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 387 to 4.1.10
Updated by Vincent MEMBRÉ almost 7 years ago
- Target version changed from 4.1.10 to 4.1.11
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.1.11 to 4.1.12
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.1.12 to 4.1.13
Updated by Benoît PECCATTE over 6 years ago
- Status changed from New to Rejected
The correct solution is to upgrade openssl and curl.
This problem has been fixed in 4.3 because it embed curl and openssl on old systems.