I’ve been testing 2.11.0-rc and one thing I noticed while trying to upgrade the master, but not all agents, is that some (not all for some reason) complain about SSL ciphers:
[2019-07-26 05:15:35 -0400] warning/TlsStream: OpenSSL error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher [2019-07-26 05:15:35 -0400] critical/ApiListener: Client TLS handshake failed (from [10.24.1.181]:34854): Error: Socket was closed during TLS handshake. (0) Handling new API client connection Context: (0) Handling new API client connection
Restarting the agent didn’t make this go away, but upgrading it to also use 2.11.0-rc1 did help.
During the upgrade, openssl wasn’t upgraded and remains as before:
Version : 1.0.2k Release : 16.el7_6.1
OS: Centos 7
Another thing I noticed is that after manually signing a CSR on the master, RPC connections begin to fail with the following error message:
[2019-07-26 11:48:29 +0200] information/JsonRpcConnection: Received certificate request for CN 'centos4' not signed by our CA. [2019-07-26 11:48:29 +0200] information/JsonRpcConnection: Sending certificate response for CN 'centos4' to endpoint 'centos4'. [2019-07-26 11:48:29 +0200] notice/JsonRpcConnection: Error while reading JSON-RPC message for identity 'centos4': Error: End of file (0) icinga2: icinga::JsonRpc::ReadMessage(std::shared_ptr<icinga::AsioTlsStream> const&, boost::asio::basic_yield_context<boost::asio::executor_binder<void (*)(), boost::asio::executor> >, long) (+0x95) [0x95a1b5] (1) icinga2: icinga::JsonRpcConnection::HandleIncomingMessages(boost::asio::basic_yield_context<boost::asio::executor_binder<void (*)(), boost::asio::executor> >) (+0x176) [0x9d31a6] (2) /usr/lib64/icinga2/sbin/icinga2() [0x9d3923] (3) libboost_context.so.1.69.0: make_fcontext (+0x2f) [0x7fbb0139118f] [2019-07-26 11:48:29 +0200] warning/JsonRpcConnection: API client disconnected for identity 'centos4'
The agent on
centos4 has to be restarted to make the connection work. With 2.10, I can’t remember having had to restart the agent post signing a CSR.
This is 100% reproducible. Generate a new self-signed cert on the agent and re-start the PKI procedure and you’ll end up with the same
End of file error after signing the new CSR.