Feedback from 2.11.0-rc1 testing

(David Raison) #1

I’ve been testing 2.11.0-rc and one thing I noticed while trying to upgrade the master, but not all agents, is that some (not all for some reason) complain about SSL ciphers:

[2019-07-26 05:15:35 -0400] warning/TlsStream: OpenSSL error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
[2019-07-26 05:15:35 -0400] critical/ApiListener: Client TLS handshake failed (from [10.24.1.181]:34854): Error: Socket was closed during TLS handshake.

        (0) Handling new API client connection

Context:
        (0) Handling new API client connection

Restarting the agent didn’t make this go away, but upgrading it to also use 2.11.0-rc1 did help.
During the upgrade, openssl wasn’t upgraded and remains as before:

Version     : 1.0.2k
Release     : 16.el7_6.1

OS: Centos 7


Another thing I noticed is that after manually signing a CSR on the master, RPC connections begin to fail with the following error message:

[2019-07-26 11:48:29 +0200] information/JsonRpcConnection: Received certificate request for CN 'centos4' not signed by our CA.
[2019-07-26 11:48:29 +0200] information/JsonRpcConnection: Sending certificate response for CN 'centos4' to endpoint 'centos4'.
[2019-07-26 11:48:29 +0200] notice/JsonRpcConnection: Error while reading JSON-RPC message for identity 'centos4': Error: End of file


        (0) icinga2: icinga::JsonRpc::ReadMessage(std::shared_ptr<icinga::AsioTlsStream> const&, boost::asio::basic_yield_context<boost::asio::executor_binder<void (*)(), boost::asio::executor> >, long) (+0x95) [0x95a1b5]
        (1) icinga2: icinga::JsonRpcConnection::HandleIncomingMessages(boost::asio::basic_yield_context<boost::asio::executor_binder<void (*)(), boost::asio::executor> >) (+0x176) [0x9d31a6]
        (2) /usr/lib64/icinga2/sbin/icinga2() [0x9d3923]
        (3) libboost_context.so.1.69.0: make_fcontext (+0x2f) [0x7fbb0139118f]



[2019-07-26 11:48:29 +0200] warning/JsonRpcConnection: API client disconnected for identity 'centos4'

The agent on centos4 has to be restarted to make the connection work. With 2.10, I can’t remember having had to restart the agent post signing a CSR.

This is 100% reproducible. Generate a new self-signed cert on the agent and re-start the PKI procedure and you’ll end up with the same End of file error after signing the new CSR.