Project

General

Profile

Bug #8436

Getting server uuid fails on agent with old openssl

Added by François ARMAND over 2 years ago. Updated 7 months ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
System techniques
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Priority:
63

Description

_**_On some old OS (for example: SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, PATCHLEVEL = 3, OpenSSL 0.9.8j-fips 07 Jan 2009), when the node try to get the server uuid, we get an error:

curl -L -k -1 -s -f --proxy '' https://xxx.xxx.xxx.xxx/uuid : an error occured, returned 51 

The error message means: "The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK."

The same command, without the -1 option (meaning: force use TLS), works on these OS.

[removing non working workaround]


Related issues

Related to Rudder - Bug #7109: After an upgrade to 3.1.1-1, the nodes report error on "Could not retrieve the UUID of the policy server"Released2015-08-17

History

#1 Updated by François ARMAND over 2 years ago

  • Description updated (diff)

#2 Updated by Alexis MOUSSET over 2 years ago

  • Related to Bug #7109: After an upgrade to 3.1.1-1, the nodes report error on "Could not retrieve the UUID of the policy server" added

#3 Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 2.11.22 to 2.11.23

#4 Updated by François ARMAND over 2 years ago

  • Description updated (diff)
  • Target version deleted (2.11.23)

So, it is most likelly a problem with curl and / or the local certificate chain on the node.
See for example information on the subject: https://forum.openwrt.org/viewtopic.php?id=58603 , https://www.novell.com/support/kb/doc.php?id=7009789

You can test with:

curl -v https://google.com

=> you should also get the error 51 return.

And the following should work:

mkdir /tmp/certs
curl -o /tmp/certs/ca-certificates.crt http://curl.haxx.se/ca/cacert.pem
curl --cacert /tmp/certs/ca-certificates.crt -v -L -k -1 -s --proxy '' https://xxx.xxx.xxx.xxx/uuid

In that case, the solution is to update the corrupted ca chain cert on the node.

#5 Updated by François ARMAND over 2 years ago

The problem may also be linked to the version of curl. On SUSE Linux Enterprise Server 11 (x86_64) (PATCHLEVEL = 3), with OpenSSL 0.9.8j-fips :

- curl 7.19.0 (x86_64-suse-linux-gnu) libcurl/7.19.0 OpenSSL/0.9.8h zlib/1.2.3 libidn/1.10 => can get policy server UUID
- curl 7.42.1 (x86_64-unknown-linux-gnu) libcurl/7.42.1 OpenSSL/0.9.8j zlib/1.2.7 => can not get policy server UUID.

Downgrading curl version allows to get the policy server UUID.

#6 Updated by Jonathan CLARKE over 2 years ago

  • Assignee set to Alexis MOUSSET

Alexis, can you please try and reproduce this?

I have a feeling it may be caused by the old partially invalid certs we used to generate before #7800 - maybe try generating an old one?

#7 Updated by Benoît PECCATTE over 1 year ago

  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Operational - other Techniques | Technique editor | Rudder settings

#9 Updated by Benoît PECCATTE over 1 year ago

  • Priority set to 52

#10 Updated by Jonathan CLARKE over 1 year ago

  • Assignee deleted (Alexis MOUSSET)
  • Priority changed from 52 to 51

#11 Updated by Benoît PECCATTE over 1 year ago

  • Target version set to 3.1.20

#12 Updated by Benoît PECCATTE over 1 year ago

  • Status changed from New to In progress
  • Assignee set to Benoît PECCATTE

#13 Updated by Benoît PECCATTE over 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Benoît PECCATTE to Alexis MOUSSET
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1141

#14 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.20 to 3.1.21
  • Priority changed from 51 to 50

#15 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.21 to 3.1.22

#16 Updated by Benoît PECCATTE over 1 year ago

  • Priority changed from 50 to 63

#17 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.22 to 3.1.23

#18 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.23 to 3.1.24

#19 Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 3.1.24 to 3.1.25

#20 Updated by Alexis MOUSSET about 1 year ago

  • Status changed from Pending technical review to New
  • Assignee deleted (Alexis MOUSSET)

#21 Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 3.1.25 to 387

#22 Updated by Vincent MEMBRÉ 12 months ago

  • Target version changed from 387 to 4.1.10

#23 Updated by Vincent MEMBRÉ 10 months ago

  • Target version changed from 4.1.10 to 4.1.11

#24 Updated by Vincent MEMBRÉ 8 months ago

  • Target version changed from 4.1.11 to 4.1.12

#25 Updated by Vincent MEMBRÉ 7 months ago

  • Target version changed from 4.1.12 to 4.1.13

#26 Updated by Benoît PECCATTE 7 months ago

  • Status changed from New to Rejected

The correct solution is to upgrade openssl and curl.
This problem has been fixed in 4.3 because it embed curl and openssl on old systems.

Also available in: Atom PDF