Feedback from 2.11.0-rc1 testing

(David Raison) #1

I’ve been testing 2.11.0-rc and one thing I noticed while trying to upgrade the master, but not all agents, is that some (not all for some reason) complain about SSL ciphers:

[2019-07-26 05:15:35 -0400] warning/TlsStream: OpenSSL error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
[2019-07-26 05:15:35 -0400] critical/ApiListener: Client TLS handshake failed (from []:34854): Error: Socket was closed during TLS handshake.

        (0) Handling new API client connection

        (0) Handling new API client connection

Restarting the agent didn’t make this go away, but upgrading it to also use 2.11.0-rc1 did help.
During the upgrade, openssl wasn’t upgraded and remains as before:

Version     : 1.0.2k
Release     : 16.el7_6.1

OS: Centos 7

Another thing I noticed is that after manually signing a CSR on the master, RPC connections begin to fail with the following error message:

[2019-07-26 11:48:29 +0200] information/JsonRpcConnection: Received certificate request for CN 'centos4' not signed by our CA.
[2019-07-26 11:48:29 +0200] information/JsonRpcConnection: Sending certificate response for CN 'centos4' to endpoint 'centos4'.
[2019-07-26 11:48:29 +0200] notice/JsonRpcConnection: Error while reading JSON-RPC message for identity 'centos4': Error: End of file

        (0) icinga2: icinga::JsonRpc::ReadMessage(std::shared_ptr<icinga::AsioTlsStream> const&, boost::asio::basic_yield_context<boost::asio::executor_binder<void (*)(), boost::asio::executor> >, long) (+0x95) [0x95a1b5]
        (1) icinga2: icinga::JsonRpcConnection::HandleIncomingMessages(boost::asio::basic_yield_context<boost::asio::executor_binder<void (*)(), boost::asio::executor> >) (+0x176) [0x9d31a6]
        (2) /usr/lib64/icinga2/sbin/icinga2() [0x9d3923]
        (3) make_fcontext (+0x2f) [0x7fbb0139118f]

[2019-07-26 11:48:29 +0200] warning/JsonRpcConnection: API client disconnected for identity 'centos4'

The agent on centos4 has to be restarted to make the connection work. With 2.10, I can’t remember having had to restart the agent post signing a CSR.

This is 100% reproducible. Generate a new self-signed cert on the agent and re-start the PKI procedure and you’ll end up with the same End of file error after signing the new CSR.