Project

General

Profile

Bug #22402

Updated by Alexis Mousset almost 2 years ago

h2. Problem 

 Server 7.2, Relay 6.2, Agent 6.2 (so 7.2 policies everywhere) 

 Agents can send their inventory, but the inventory is stopped on the relay, with relayd logging: 

 <pre> 
 ERROR relayd::processing::inventory: output error: HTTP error: https://server/inventories/mynode-myid.ocs.gz: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1916: (self signed certificate) 
 INFO relayd::processing::inventory: transient error, skipping 
 </pre> 

 This can be easily reproduced with latest patch versions on CentOS8. 

 h2. Cause 

 @relayd@’s configuration contains: 

 <pre> 
 [general] 
 # Use cert pinning 
 peer_authentication = "cert_pinning" 
 </pre> 

 But the 6.2 @relayd@ does not understand this parameter 

 It also does not have this line (which is in the 6.2 policies) : 

 <pre> 
 verify_certificates = false 
 </pre> 

 Which means the default value is used, which is @true@. 

 That means that the 6.2 relayd considers we are in a “normal” ca-based certificate setup, with verification enabled, and hence require a valid certificate, which cannot happen on a 7.2 server (as we enforce usage of the Rudder certificate). 

 h2. Solution 

 We need to allow the 6.2 relayd to skip certificate verification, while not disabling it on 7.2 relays. 

 We can use CFEngine version conditions to set the right value on 6.2 relays: 

 <pre> 
       "rudder_relayd_disable_cert_pinning" expression 
 cfengine_3_15:: 
   "certif_option" string => "cfengine_3_15", 
                                                 scope "dangerous_none"; 
 !cfengine_3_15:: 
   "certif_option" string => "namespace"; "cert_pinning"; 
 </pre> 

 In the relayd system technique.

Back