<div>Hi,<br></div><div>You could also please check out "openssl s_client -connect ${rudder_policy_server}:5309 </dev/null" on both policy server and node you try to connect from to see if you can in general connect to the host and see what SSL-Session is negotiated?<br></div><div><br></div><div>I for example have something similar:<br></div><div><br></div><div>SSL-Session:<br></div><div> Protocol : TLSv1.2<br></div><div>...</div><div><br></div><div>Cheers,</div><div><br></div><div class="protonmail_signature_block"><div class="protonmail_signature_block-user"><div>-- <br></div><div>Janos Mattyasovszky<br></div></div><div class="protonmail_signature_block-proton protonmail_signature_block-empty"><br></div></div><div><br></div><div>‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐<br></div><div> On July 18, 2018 10:02 AM, Nicolas Charles <nicolas.charles@normation.com> wrote:<br></div><div> <br></div><blockquote class="protonmail_quote" type="cite"><div>Le 13/07/2018 à 11:30, GALLET Tristan a écrit :<br></div><div> <br></div><blockquote type="cite"><div class="WordSection1"><p class="MsoNormal">Hello everybody,<br></p><p class="MsoNormal"> <br></p><p class="MsoNormal">I’ve just migrated from Rudder 4.2 to
4.3.2. (not 4.3.3, Debian has not yet this version in the
repository).<br></p><p class="MsoNormal"> <br></p><p class="MsoNormal">Server and client are on Debian 8.11, all
updates from today.<br></p><p class="MsoNormal"> <br></p><p class="MsoNormal">After upgrade, clients can not update their
policies :<br></p><p class="MsoNormal"> <br></p><p class="MsoNormal">From a client :<br></p><p class="MsoNormal"><b>rudder agent update</b><br></p><p class="MsoNormal"><b>R:
*********************************************************************************</b><br></p><p class="MsoNormal"><b>* rudder-agent could not get an updated
configuration from the policy server. *</b><br></p><p class="MsoNormal"><b>* This can be caused
by: *</b><br></p><p class="MsoNormal"><b>* * an agent key that has been
changed *</b><br></p><p class="MsoNormal"><b>* * if this node is not accepted or
deleted node on the Rudder root server *</b><br></p><p class="MsoNormal"><b>* * if this node has changed policy
server without sending a new inventory *</b><br></p><p class="MsoNormal"><b>* Any existing configuration policy will
continue to be applied without change. *</b><br></p><p class="MsoNormal"><b>*********************************************************************************</b><br></p><p class="MsoNormal"><b>ok: Rudder agent promises were updated.</b><br></p><p class="MsoNormal"> <br></p><p class="MsoNormal">From the serveur :<br></p><p class="MsoNormal">rudder server debug 10.X.X.X<br></p><p class="MsoNormal"> <br></p><p class="MsoNormal"> <br></p><p class="MsoNormal">Logs from server :<br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Setting
IDENTITY: USERNAME=root</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Received
public key compares equal to the one we have stored</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
MD5=70b5b4d90fa8c1176cd2c1a00deb9884: Client is TRUSTED,
public key MATCHES stored one.</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: STAT
/var/rudder/share/02dfe0b6-fee5-491a-96bb-95ecf27b07bb/rules/cfengine-community/rudder_promises_generated</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: STAT
/var/rudder/share/02dfe0b6-fee5-491a-96bb-95ecf27b07bb/rules/cfengine-community/rudder_promises_generated</b><br></p><p class="MsoNormal"><b>rudder info: 10.X.X.X> access
denied to STAT:
/var/rudder/share/02dfe0b6-fee5-491a-96bb-95ecf27b07bb/rules/cfengine-community/rudder_promises_generated</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X> REFUSAL to
user='root' of request: SYNCH 1531473776 STAT
/var/rudder/share/02dfe0b6-fee5-491a-96bb-95ecf27b07bb/rules/cfengine-community/rudder_promises_generated</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: STAT /usr/share/ncf/tree/ncf_hash_file</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: STAT /usr/share/ncf/tree/ncf_hash_file</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: MD5 /usr/share/ncf/tree/ncf_hash_file</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: MD5 /usr/share/ncf/tree/ncf_hash_file</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: STAT
/var/rudder/configuration-repository/ncf/ncf_hash_file</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: STAT
/var/rudder/configuration-repository/ncf/ncf_hash_file</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: MD5
/var/rudder/configuration-repository/ncf/ncf_hash_file</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: MD5
/var/rudder/configuration-repository/ncf/ncf_hash_file</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: STAT /var/rudder/tools/rudder_tools_updated</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: STAT /var/rudder/tools/rudder_tools_updated</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X>
Received: MD5 /var/rudder/tools/rudder_tools_updated</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Translated
to: MD5 /var/rudder/tools/rudder_tools_updated</b><br></p><p class="MsoNormal"><b>rudder verbose: 10.X.X.X> Remote
peer terminated TLS session (SSL_read)</b><br></p><p class="MsoNormal"><b>rudder info: 10.X.X.X> Closing
connection, terminating thread</b><br></p><p class="MsoNormal"><b> </b><br></p><p class="MsoNormal">DNS is ok, server and client resolve each
other.<br></p><p class="MsoNormal"> <br></p><p class="MsoNormal">Is there something to do after migration ?<br></p><p class="MsoNormal"> <br></p><p class="MsoNormal">Regards<br></p><p class="MsoNormal"><span lang="FR" style="mso-fareast-language:FR">Cordialement,</span><br></p><p class="MsoNormal"><span lang="FR" style="mso-fareast-language:FR"> </span><br></p><p class="MsoNormal"><span lang="FR" style="mso-fareast-language:FR">Tristan</span><br></p></div></blockquote><div><br></div><div>Hi Tristan,<br></div><div> <br></div><div> Thank you very much for the detailed explanation and debug logs, it
is very useful. I'm sorry for the delay in the answer, the mail was
caught in a moderation zone :/<br></div><div> <br></div><div> Normally, there shouldn't be anything to do after an upgrade, so you
are hitting a bug.<br></div><div> We've encountered a very rare bug where inventories or keys could be
lost during an upgrade, due to cache issue - it may be related to
that. Can you do the following:<br></div><div> <br></div><div> <br></div><ul><li>On the failing node, can you run<br></li></ul><div>rudder agent inventory<br></div><div> <br></div><div> <br></div><ul><li>then, on the server Rudder, run:<br></li></ul><div>rudder agent inventory && rudder agent run<br></div><div> to be sure that the Rudder server inventory is there and up to date.<br></div><div> <br></div><div> <br></div><ul><li>trigger a full policies generation, by clicking on "Status" in
the menu bar of Rudder, then "Regenerate all policies"<br></li></ul><div><br></div><ul><li>then, on the node, once the policy generation is finished, run<br></li></ul><div>rudder agent run -u<br></div><div> <br></div><div> If it doesn't work, we'll have to investigate further: did you have
any error during the upgrade ? Do you have any "ERROR" in you
/var/log/rudder/webapp folder, post-upgrade ? <br></div><div> Does the file
/var/rudder/share/02dfe0b6-fee5-491a-96bb-95ecf27b07bb/rules/cfengine-community/rudder_promises_generated
exist on the server ?<br></div><div> <br></div><div> Thank you,<br></div><div> Nicolas<br></div><div> <br></div><div> <br></div></blockquote><div><br></div>