Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    fanf42
    @fanf42:matrix.org
    [m]
    👍️
    fanf42
    @fanf42:matrix.org
    [m]
    @DidierMetral: fyi: Normation/rudder-plugins#438
    DidierMetral
    @DidierMetral
    :thumbsup:
    lkoenen
    @lkoenen
    gt_value.png
    fixed_value.png
    fanf42
    @fanf42:matrix.org
    [m]
    @lkoenen: thanks, @ncharles identified the problem. We will look how it can be corrected tomorrow. Thanks for reporting
    DidierMetral
    @DidierMetral
    @fanf42:matrix.org Hello, it seems that the workaround for LDAPS and RSA 1024 is not working :/
    I tried to connect and I had the error message ... Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate ... . 7 minutes later I tried again and was able to login (same login and password)
    I have 4 domain controllers so I think the test was OK with a DC with a good cert (with RSA 2048)
    DidierMetral
    @DidierMetral
    The error message list the DCs with RSA 1024. I never see the 2 other DC in the log.
    François Armand
    @fanf
    hello @DidierMetral , sorry I didn't saw your message earlier. Can you try to put again the RSA keySize < 1024 but change it to RSA keySize < 512 ?
    (I'm wondering if there is not a default on size somewhere hardcoded, and that it would be overriden with that)
    Jérémy CHAMPEL
    @jchampel:tec6.im
    [m]
    Hello all, Do you know when de 7.0 release will be available in the latest debian repo ?
    1 reply
    Benjamin Dupalut
    @binibitobi_gitlab
    Hi all,
    I just upgraded my dev server to 7.0 and I'm having trouble with rule categories.
    image.png
    I still can see the categories but i can't delete/rename it.
    Benjamin Dupalut
    @binibitobi_gitlab
    image.png
    François Armand
    @fanf
    @binibitobi_gitlab hello, the "rules with missing/deleted category" is a virtual one to handle cases were a rule get orphaned for some (bug) reason. You should just have to move rules in that sub tree elsewhere in an existing category and they will disapear once there's no rule left in them
    the error message is perhaps another thing. Can you look in /var/log/rudder/webapp/2022_01_17_stderrout.log to see if there's more information about what went wrong ?
    Alexis Mousset
    @amousset:matrix.org
    [m]
    Jérémy CHAMPEL: If you are talking about the /apt/latest repo URL we usually wait for X.0.1 or X.0.2 to switch it to the next major release
    Vincent Membré
    @VinceMacBuche
    We should prevent opening deleted categories. We show their id so that you can still look in history to which category they were refering. This problem was already there before, but was completely hidden by the UI
    Benjamin Dupalut
    @binibitobi_gitlab

    Hi @fanf,

    Thank you for your reply. I managed to move the "orphaned" rules to an other category.

    For the error message, i tailed /var/log/rudder/webapp/2022_01_27.stderrout.log and try to delete a category again but nothing was logged.

    lkoenen
    @lkoenen
    hey, quick question. how many rudder-relayd processes running simultaneously on a rudder sever are normal? > 100?
    Benjamin Dupalut
    @binibitobi_gitlab
    FYI, i just had to log out/login to see that the categories are gone.
    Benjamin Dupalut
    @binibitobi_gitlab
    I added my categories back but i still can't move my rules to it.
    7 replies
    image.png
    François Armand
    @fanf
    @binibitobi_gitlab : @ElaadF or @RaphaelGauthier will try to understand/help tomorrow
    Benjamin Dupalut
    @binibitobi_gitlab
    @fanf Thank you
    Edzilla2000
    @Edzilla2000
    Hello
    I just upgraded our test server to 7.0 and I have an issue on rudder agent run
    curl: (90) SSL: public key does not match pinned public key!
    Gaëtan CHAGNEAU - 26003
    @gchagneau:tec6.im
    [m]
    Hi everyone, we've got an issue with our cert to after upgrade, we want to follow the doc but there are no files here /opt/rudder/etc/rudder.key
    Fdall
    @Fdall
    HI, do you have a file under /var/rudder/lib/ssl/policy_server_hash on your faulty node?
    31 replies
    Jérémy CHAMPEL
    @jchampel:tec6.im
    [m]
    when we run the agent (on the server node). (first lines only):
    root@rudder:~# rudder agent run -u
    Rudder agent 7.0.0
    Node uuid: root
    ok: Rudder agent policies were updated.
    Start execution with config [20220128-113543-e4483828]
    
    M| State         Technique                 Component                 Key                Message
    E| compliant     Common                    ncf Initialization                           Configuration library initialization was correct
    E| compliant     Common                    Update                                       Configuration library already up to date on this root server. No action required.
    E| compliant     Common                    Security parameters                          The internal environment security is acceptable
    E| compliant     Common                    CRON Daemon                                  CRON is correctly running
    E| compliant     Common                    Log system for reports                       Reports forwarding to policy server was correct
    E| compliant     Inventory                 Inventory                                    Next inventory scheduled between 00:00 and 06:00
    E| error         rudder-service-apache     Configure apache certifi| Apache certificate Copying /var/rudder/lib/ssl/nodescerts.pem from /opt/rudder/etc/ssl/agent.cert could not be repaired
    E| error         rudder-service-apache     Configure apache certifi| Permissions        Ensure permissions mode 640, owner root and group rudder on /var/rudder/lib/ssl/nodescerts.pem could not be repaired
    E| compliant     rudder-service-apache     Apache configuration      Allowed networks | Ensure permissions mode 600, owner root and group 0 on /opt/rudder/etc/rudder-networks-24.conf was correct
    E| compliant     rudder-service-apache     Apache configuration      Allowed networks | Insert content into /opt/rudder/etc/rudder-networks-24.conf was correct
    E| compliant     rudder-service-apache     Apache configuration      Remote run config| Insert content into /opt/rudder/etc/rudder-networks-policy-server-24.conf was correct
    E| compliant     rudder-service-apache     Apache configuration      Remote run permis| Ensure permissions mode 600, owner root and group 0 on /opt/rudder/etc/rudder-networks-policy-server-24.conf was correct
    E| compliant     rudder-service-apache     Apache configuration      Webdav permissions Ensure permissions mode 640, owner root and group www-data on /opt/rudder/etc/htpasswd-webdav was correct
    E| compliant     rudder-service-apache     Apache configuration      Webdav configurat| Setting Apache webdav password was correct
    E| compliant     rudder-service-apache     Apache configuration      Logrotate          Build file /etc/logrotate.d/rudder-apache from mustache template /var/rudder/cfengine-community/inputs/rudder-service-apache/1.0/apache/apache-logrotate.mustache was correct
    E| compliant     rudder-service-apache     Apache service            Started            Ensure that service apache2 is running was correct
    Gaëtan CHAGNEAU - 26003
    @gchagneau:tec6.im
    [m]
    :point_up: Edit: Hi everyone, we've got an issue with our cert too after upgrade, we want to follow the doc but there are no files here /opt/rudder/etc/rudder.key
    DidierMetral
    @DidierMetral
    @fanf Sorry I was off yesterday. I tried to change the jdk.certpath.disabledAlgorithms with RSA keySize < 512 but got the same error.
    12 replies
    Gaëtan CHAGNEAU - 26003
    @gchagneau:tec6.im
    [m]
    We also have this now
    curl: (90) SSL: public key does not match pinned public key!
    warning: Could not send /var/rudder/reports/ready//2022-01-28T15:06:26+00:00@root.log.gz (error 90), it will be retried later
    Alexis Mousset
    @amousset

    The easiest way to get things back in place is to replace the /etc/apache2/sites-enabled/rudder.conf file with a new one based on https://raw.githubusercontent.com/Normation/rudder/master/relay/sources/apache/rudder-vhost.conf (the new 7.0 default). You need to :

    • comment the default vhost for port 443
    • uncomment the commented part, and configure your certificate and server name in the last vhost

    @gchagneau:tec6.im This should work for you too

    4 replies
    Gaëtan CHAGNEAU - 26003
    @gchagneau:tec6.im
    [m]
    yes
    Alexis Mousset
    @amousset
    and when using this hostname in a browser you still the the self-signed cert?
    Gaëtan CHAGNEAU - 26003
    @gchagneau:tec6.im
    [m]
    i'm double checking apache's zones
    Gaëtan CHAGNEAU - 26003
    @gchagneau:tec6.im
    [m]
    Okay, i don't know why but there was an issue with our cert
    which is strange beacuase we didn't touch it
    we still have this issue though :
    E| error         Common                    Log system for reports                       Reports forwarding to policy server could not be repaired
    
    ...
    
    curl: (90) SSL: public key does not match pinned public key!
    warning: Could not send /var/rudder/reports/ready//2022-01-28T17:32:33+00:00@root.log.gz (error 90), it will be retried later
    on the rudder server
    Gaëtan CHAGNEAU - 26003
    @gchagneau:tec6.im
    [m]
    and on node
    
    E| error         Common                    Log system for reports                       Reports forwarding to policy server could not be repaired
    
    ...
    
    warning: Could not send /var/rudder/reports/ready//2022-01-28T17:43:17+00:00@1760bc52-855a-495f-8726-522dcb3ac09c.log.gz (error 22), it will be retried later
    Alexis Mousset
    @amousset

    could you compare the result of (on the server)

    openssl x509 -in /opt/rudder/etc/ssl/agent.cert -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

    with the content of /var/rudder/lib/ssl/policy_server_hash?

    1 reply
    Jérémy CHAMPEL
    @jchampel:tec6.im
    [m]
    look the same
    Alexis Mousset
    @amousset:matrix.org
    [m]
    ok so the problem lies in the apache config
    could you send me your /etc/apache2/sites-enabled/rudder.conf file (here or at amo@rudder.io)?