Getting server uuid fails on agent with old openssl
_**_On some old OS (for example: SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, PATCHLEVEL = 3, OpenSSL 0.9.8j-fips 07 Jan 2009), when the node try to get the server uuid, we get an error:
curl -L -k -1 -s -f --proxy '' https://xxx.xxx.xxx.xxx/uuid : an error occured, returned 51
The error message means: "The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK."
The same command, without the -1 option (meaning: force use TLS), works on these OS.
[removing non working workaround]
#4 Updated by François ARMAND almost 2 years ago
- Description updated (diff)
- Target version deleted (
So, it is most likelly a problem with curl and / or the local certificate chain on the node.
See for example information on the subject: https://forum.openwrt.org/viewtopic.php?id=58603 , https://www.novell.com/support/kb/doc.php?id=7009789
You can test with:
curl -v https://google.com
=> you should also get the error 51 return.
And the following should work:
mkdir /tmp/certs curl -o /tmp/certs/ca-certificates.crt http://curl.haxx.se/ca/cacert.pem curl --cacert /tmp/certs/ca-certificates.crt -v -L -k -1 -s --proxy '' https://xxx.xxx.xxx.xxx/uuid
In that case, the solution is to update the corrupted ca chain cert on the node.
#5 Updated by François ARMAND almost 2 years ago
The problem may also be linked to the version of curl. On SUSE Linux Enterprise Server 11 (x86_64) (PATCHLEVEL = 3), with OpenSSL 0.9.8j-fips :
- curl 7.19.0 (x86_64-suse-linux-gnu) libcurl/7.19.0 OpenSSL/0.9.8h zlib/1.2.3 libidn/1.10 => can get policy server UUID
- curl 7.42.1 (x86_64-unknown-linux-gnu) libcurl/7.42.1 OpenSSL/0.9.8j zlib/1.2.7 => can not get policy server UUID.
Downgrading curl version allows to get the policy server UUID.
#13 Updated by Benoît PECCATTE 11 months ago
- Status changed from In progress to Pending technical review
- Assignee changed from Benoît PECCATTE to Alexis MOUSSET
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1141