Problems setting up agent SSL on RHEL 5.1 host

This forum was archived to /woltlab and is now in read-only mode.
  • Hi,
    I have a host running RHEL 5.1 32bit that crush on SSL setup attempt.
    Some details first:

    1. LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
    2. Distributor ID: RedHatEnterpriseServer
    3. Description: Red Hat Enterprise Linux Server release 5.1 (Tikanga)
    4. Release: 5.1
    5. Codename: Tikanga

    1. icinga2-bin-2.4.10-1.el5.centos
    2. icinga2-common-2.4.10-1.el5.centos
    3. icinga-rpm-release-5-1.el5.centos
    4. icinga2-2.4.10-1.el5.centos
    1. openssl-devel-0.9.8b-8.3.el5_0.2
    2. openssl-0.9.8b-8.3.el5_0.2

    When the agent is installed fist, it can run without problems, yet after I run "icinga2 node wizard", it fails to start.
    I checked the crash log report and it says:

    I did some googling and found bugs related to Ubuntu some versions ago, but nothing on RHEL 5 family and I use the latest packages from the Icinga repo.

    Any suggestions?

    Thanks in advanced,

  • How do you install icinga2 ? via packet manager or anything else ? Can you try Epel Repo ? follow like this ;

    1. rpm --import
    2. wget -O /etc/yum.repos.d/ICINGA-release.repo
    3. yum clean all
    4. yum update
    5. yum install icinga2
  • Hello,

    I think you need gdb for more information. After installing gdb Can you send back the debug output? I did not see a problem tried CentOS 5. Did you turn off SELinux?

  • Hello,
    i am running a 5.6 RHEL.
    Initially, i had problems of communicating to nodes.
    Your problem may ly in a buggy openssl implementation that is fixed in RHEL 5.11.

    So, i used the following from the 5.11 media:

    openssl.i686 0.9.8e-27.el5_10.4 installed
    openssl.x86_64 0.9.8e-27.el5_10.4 installed
    openssl-devel.i386 0.9.8e-27.el5_10.4 installed
    openssl-devel.x86_64 0.9.8e-27.el5_10.4 installed

    Restore your box to a VM, update it to above rpms and see if that fixes it for you.

    That problem took me 2 weeks...

  • This is RHEL 5.1, as I mentioned before.
    Updating OpenSSL would be quite painful right now....

    Did you had the same problem exactly?

  • The problem that i had was that endpoints were not able to connect to that rh 5.6 master because of a tls handshake problem.
    As there was an additional openssl v1.10 installed in parallel, i was able to do an openssl s_client -connect somehost:5665
    with success using openssl110 and failure using openssl098.

    I than tried a vm with the last RHEL5 available, 5.11.
    There that was fixed.
    So i build another VM with RHEL5.6, did a yum localupdate openssl from 5.11 DVD which, as far as i remember, updated the 3 openssl packages and perhaps 2 others (maybe nss-something?).
    These packeges have been copied to the production machine and been installed the same way.

  • We generally can only test and provide packages for uptodate distributions, e.g. RHEL 5.11, 6.<whateverisreleased>, 7.2. Especially older RHEL5 systems tend to have multiple software bugs and security issues which should alarm any sysadmin planning upgrades.

  • @dnsmichi:
    Totally agreed.
    RHEL5.6 is stoneage and really has lots of security related bugs (openssl, bash, nss, etc)
    However, we all know that "real world sideband restrictions" like existing contracts, old applications etc. might force a sysadmin to still run these beasts - even if we are left alone with that.

    You just need to know what you are doing.

  • Sure. What I am trying to put my point onto - we as Icinga project do not have the resources to build and test different rpm binary packages for different point releases. We can only support the latest and greatest.