Project

General

Profile

Actions

Bug #8436

closed

Getting server uuid fails on agent with old openssl

Added by François ARMAND over 8 years ago. Updated over 6 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
System techniques
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Priority:
63
Name check:
Fix check:
Regression:

Description

_**_On some old OS (for example: SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, PATCHLEVEL = 3, OpenSSL 0.9.8j-fips 07 Jan 2009), when the node try to get the server uuid, we get an error:

curl -L -k -1 -s -f --proxy '' https://xxx.xxx.xxx.xxx/uuid : an error occured, returned 51 

The error message means: "The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK."

The same command, without the -1 option (meaning: force use TLS), works on these OS.

[removing non working workaround]


Related issues 1 (0 open1 closed)

Related to Rudder - Bug #7109: After an upgrade to 3.1.1-1, the nodes report error on "Could not retrieve the UUID of the policy server"ReleasedAlexis Mousset2015-08-17Actions
Actions #1

Updated by François ARMAND over 8 years ago

  • Description updated (diff)
Actions #2

Updated by Alexis Mousset over 8 years ago

  • Related to Bug #7109: After an upgrade to 3.1.1-1, the nodes report error on "Could not retrieve the UUID of the policy server" added
Actions #3

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 2.11.22 to 2.11.23
Actions #4

Updated by François ARMAND over 8 years ago

  • Description updated (diff)
  • Target version deleted (2.11.23)

So, it is most likelly a problem with curl and / or the local certificate chain on the node.
See for example information on the subject: https://forum.openwrt.org/viewtopic.php?id=58603 , https://www.novell.com/support/kb/doc.php?id=7009789

You can test with:

curl -v https://google.com

=> you should also get the error 51 return.

And the following should work:

mkdir /tmp/certs
curl -o /tmp/certs/ca-certificates.crt http://curl.haxx.se/ca/cacert.pem
curl --cacert /tmp/certs/ca-certificates.crt -v -L -k -1 -s --proxy '' https://xxx.xxx.xxx.xxx/uuid

In that case, the solution is to update the corrupted ca chain cert on the node.

Actions #5

Updated by François ARMAND over 8 years ago

The problem may also be linked to the version of curl. On SUSE Linux Enterprise Server 11 (x86_64) (PATCHLEVEL = 3), with OpenSSL 0.9.8j-fips :

- curl 7.19.0 (x86_64-suse-linux-gnu) libcurl/7.19.0 OpenSSL/0.9.8h zlib/1.2.3 libidn/1.10 => can get policy server UUID
- curl 7.42.1 (x86_64-unknown-linux-gnu) libcurl/7.42.1 OpenSSL/0.9.8j zlib/1.2.7 => can not get policy server UUID.

Downgrading curl version allows to get the policy server UUID.

Actions #6

Updated by Jonathan CLARKE over 8 years ago

  • Assignee set to Alexis Mousset

Alexis, can you please try and reproduce this?

I have a feeling it may be caused by the old partially invalid certs we used to generate before #7800 - maybe try generating an old one?

Actions #7

Updated by Benoît PECCATTE over 7 years ago

  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Operational - other Techniques | Technique editor | Rudder settings
Actions #9

Updated by Benoît PECCATTE over 7 years ago

  • Priority set to 52
Actions #10

Updated by Jonathan CLARKE over 7 years ago

  • Assignee deleted (Alexis Mousset)
  • Priority changed from 52 to 51
Actions #11

Updated by Benoît PECCATTE over 7 years ago

  • Target version set to 3.1.20
Actions #12

Updated by Benoît PECCATTE over 7 years ago

  • Status changed from New to In progress
  • Assignee set to Benoît PECCATTE
Actions #13

Updated by Benoît PECCATTE over 7 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Benoît PECCATTE to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1141
Actions #14

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.20 to 3.1.21
  • Priority changed from 51 to 50
Actions #15

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.21 to 3.1.22
Actions #16

Updated by Benoît PECCATTE over 7 years ago

  • Priority changed from 50 to 63
Actions #17

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.22 to 3.1.23
Actions #18

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.23 to 3.1.24
Actions #19

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 3.1.24 to 3.1.25
Actions #20

Updated by Alexis Mousset about 7 years ago

  • Status changed from Pending technical review to New
  • Assignee deleted (Alexis Mousset)
Actions #21

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 3.1.25 to 387
Actions #22

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 387 to 4.1.10
Actions #23

Updated by Vincent MEMBRÉ almost 7 years ago

  • Target version changed from 4.1.10 to 4.1.11
Actions #24

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 4.1.11 to 4.1.12
Actions #25

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 4.1.12 to 4.1.13
Actions #26

Updated by Benoît PECCATTE over 6 years ago

  • Status changed from New to Rejected

The correct solution is to upgrade openssl and curl.
This problem has been fixed in 4.3 because it embed curl and openssl on old systems.

Actions

Also available in: Atom PDF