Bug #8436
closed
Getting server uuid fails on agent with old openssl
Added by François ARMAND over 8 years ago.
Updated over 6 years ago.
Category:
System techniques
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Description
_**_On some old OS (for example: SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, PATCHLEVEL = 3, OpenSSL 0.9.8j-fips 07 Jan 2009), when the node try to get the server uuid, we get an error:
curl -L -k -1 -s -f --proxy '' https://xxx.xxx.xxx.xxx/uuid : an error occured, returned 51
The error message means: "The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK."
The same command, without the -1 option (meaning: force use TLS), works on these OS.
[removing non working workaround]
- Description updated (diff)
- Related to Bug #7109: After an upgrade to 3.1.1-1, the nodes report error on "Could not retrieve the UUID of the policy server" added
- Target version changed from 2.11.22 to 2.11.23
- Description updated (diff)
- Target version deleted (
2.11.23)
So, it is most likelly a problem with curl and / or the local certificate chain on the node.
See for example information on the subject: https://forum.openwrt.org/viewtopic.php?id=58603 , https://www.novell.com/support/kb/doc.php?id=7009789
You can test with:
curl -v https://google.com
=> you should also get the error 51 return.
And the following should work:
mkdir /tmp/certs
curl -o /tmp/certs/ca-certificates.crt http://curl.haxx.se/ca/cacert.pem
curl --cacert /tmp/certs/ca-certificates.crt -v -L -k -1 -s --proxy '' https://xxx.xxx.xxx.xxx/uuid
In that case, the solution is to update the corrupted ca chain cert on the node.
The problem may also be linked to the version of curl. On SUSE Linux Enterprise Server 11 (x86_64) (PATCHLEVEL = 3), with OpenSSL 0.9.8j-fips :
- curl 7.19.0 (x86_64-suse-linux-gnu) libcurl/7.19.0 OpenSSL/0.9.8h zlib/1.2.3 libidn/1.10 => can get policy server UUID
- curl 7.42.1 (x86_64-unknown-linux-gnu) libcurl/7.42.1 OpenSSL/0.9.8j zlib/1.2.7 => can not get policy server UUID.
Downgrading curl version allows to get the policy server UUID.
- Assignee set to Alexis Mousset
Alexis, can you please try and reproduce this?
I have a feeling it may be caused by the old partially invalid certs we used to generate before #7800 - maybe try generating an old one?
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- User visibility set to Operational - other Techniques | Technique editor | Rudder settings
- Assignee deleted (
Alexis Mousset)
- Priority changed from 52 to 51
- Target version set to 3.1.20
- Status changed from New to In progress
- Assignee set to Benoît PECCATTE
- Status changed from In progress to Pending technical review
- Assignee changed from Benoît PECCATTE to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1141
- Target version changed from 3.1.20 to 3.1.21
- Priority changed from 51 to 50
- Target version changed from 3.1.21 to 3.1.22
- Priority changed from 50 to 63
- Target version changed from 3.1.22 to 3.1.23
- Target version changed from 3.1.23 to 3.1.24
- Target version changed from 3.1.24 to 3.1.25
- Status changed from Pending technical review to New
- Assignee deleted (
Alexis Mousset)
- Target version changed from 3.1.25 to 387
- Target version changed from 387 to 4.1.10
- Target version changed from 4.1.10 to 4.1.11
- Target version changed from 4.1.11 to 4.1.12
- Target version changed from 4.1.12 to 4.1.13
- Status changed from New to Rejected
The correct solution is to upgrade openssl and curl.
This problem has been fixed in 4.3 because it embed curl and openssl on old systems.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by Jonathan CLARKE 
Updated by