Modify

Ticket #674 (closed defect: fixed)

Opened 12 years ago

Last modified 7 years ago

bcfg2 client query hangs

Reported by: Lisa Giacchetti <lisa@…> Owned by: desai
Priority: major Milestone:
Component: bcfg2-client Version:
Keywords: Cc:

Description

Hi,

I have run into the following issue with the bcfg2 -vqn on SSL cert config on bcfg2-1.0pre3

This is centos release 5 server using same machine as the client. I run bcfg2 -vqn and it hangs with no output. strace shows that it reads the ca and the hostkey.pem and then starts to process the hostcert.pem at which point it hangs on a read. eventually it times out and starts the process of evaluating the ca, hostkey etc again and hangs again. Time out error is "connection reset by peer"

read(3, 0x9db63b0, 7)                   = -1 ECONNRESET (Connection reset by peer)
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR)             = 0
select(0, NULL, NULL, NULL, {0, 500000}) = 0 (Timeout)
futex(0x9cb53d8, FUTEX_WAKE, 1)         = 0
futex(0x9cb53d8, FUTEX_WAKE, 1)         = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
getpeername(4, 0xbfa45248, [ae621612f78837dc2052be3f813cfcb915ce83a1] (SVN r16))        = -1 ENOTCONN (Transport endpoint is not connected)

My /etc/bcfg2.conf communications section looks like this:

[communication]
protocol = xmlrpc/ssl
key = /etc/grid-security/hostkey.pem
certificate = /etc/grid-security/hostcert.pem
ca = /etc/grid-security/certificates/1c3f2ca8.0

Attachments

Change History

comment:1 Changed 12 years ago by Lisa Giacchetti <lisa@…>

Hi development team,

my colleague was able to get the certificates working by doing a couple of things which I detail below. It seems that the password entry in the config file is still needed despite the fact that it looks like the encrypted ssl certificate authentication is being used. Is there still some piece of passwd based authentication that needs to be removed?

  1. config:
[communication]
password = XXXXXXXXXX      # uncommented
ca = /etc/grid-security/AA

where CA contains:

cat hostcert.pem > AA
cat certificates/1c3f2ca8.0 >>AA
cat certificates/d1b603c3.0 >>AA
  1. Server side:

for the wrap_socket added in def get_request(self) / SSLServer.py:

                  cert_reqs=ssl.CERT_REQUIRED,
                                  ssl_version=ssl.PROTOCOL_TLSv1,

  1. Client side - replaced:
            #self.sock = ssl.SSLSocket(rawsock, cert_reqs=self.ca_mode,
            #                          ca_certs=self.ca, suppress_ragged_eofs=True,
            #                          keyfile=self.key, certfile=self.cert)
            self.sock = ssl.wrap_socket(rawsock, server_side=False,
                                    certfile=self.cert,
                                    keyfile=self.key,
                                    cert_reqs=ssl.CERT_REQUIRED,
                                    ssl_version=ssl.PROTOCOL_TLSv1,
                                    ca_certs=self.ca)
    
    

comment:2 Changed 12 years ago by solj

  • Status changed from new to closed
  • Resolution set to fixed

Looks like this was added in [ca974668ba340af041471df42bb246116d1b2a0c] (SVN r5297). Thanks for reporting what worked for you.

comment:3 Changed 7 years ago by Richardheef

  • Version 1.0 deleted
  • Milestone Bcfg2 1.0.0 Release deleted

Further, due to variations in contour, conception of natural agencies of oral fields remains viscous. [https://my.swu.edu/ICS/icsfs/tabfen24.html?target=8c64ca36-ed51-48ec-b8a5-733e30018c6c duromine prescription - Many leaflets tend to be milder in production, and lower in eight-ball.

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.

View

Add a comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
The resolution will be deleted. Next status will be 'reopened'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.