Bug#1041323: CFEngine agent connection errors

Guido Berhoerster Thu, 20 Jul 2023 02:33:25 -0700

This is fixed by allowing "127.0.0.1" and "::1" to connect to cf-serverd in
cf3/promises.cf. There also seems to be a typo regarding the local network:


    …
    body server control
    # Debian Edu specific
    {
          allowconnects         => { "10.0.0.0.0/8" };
          allowallconnects      => { "10.0.0.0.0/8" };
          trustkeysfrom         => { "10.0.0.0.0/8" };
    …

After changing this to

    …
    body server control
    # Debian Edu specific
    {
          allowconnects         => { "127.0.0.1", "::1", "10.0.0.0/8" };
          allowallconnects      => { "127.0.0.1", "::1", "10.0.0.0/8" };
          trustkeysfrom         => { "10.0.0.0/8" };
    …

the agent connects but then aborts due to a different error about an
untrusted server key:


    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  TRUST 
FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  No suitable 
server found for '/var/lib/cfengine3/inputs'
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Promise 
belongs to bundle 'failsafe_cfe_internal_update' in file 
'/var/lib/cfengine3/inputs/failsafe.cf' near line 121
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Errors 
encountered when actuating files promise '/var/lib/cfengine3/inputs'
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]:    error: ::1>             
SSL_write: underlying network error (Broken pipe)
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>      
       SSL_write: underlying network error (Broken pipe)
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]:   notice: ::1>             
Connection was hung up!
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>      
       Connection was hung up!
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  TRUST 
FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  No suitable 
server found for '/var/lib/cfengine3/modules'
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Promise 
belongs to bundle 'failsafe_cfe_internal_update' in file 
'/var/lib/cfengine3/inputs/failsafe.cf' near line 130
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Errors 
encountered when actuating files promise '/var/lib/cfengine3/modules'
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]:    error: ::1>             
SSL_write: underlying network error (Broken pipe)
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>      
       SSL_write: underlying network error (Broken pipe)
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]:   notice: ::1>             
Connection was hung up!
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>      
       Connection was hung up!
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  TRUST 
FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]:    error: ::1>             
Connection was hung up while receiving line:
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>      
       Connection was hung up while receiving line:
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]:   notice: ::1>             
Client closed connection early! He probably does not trust our key...
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>      
       Client closed connection early! He probably does not trust our key...
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  No suitable 
server found for '/var/lib/cfengine3/inputs'
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Promise 
belongs to bundle 'failsafe_cfe_internal_update' in file 
'/var/lib/cfengine3/inputs/failsafe.cf' near line 144
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Comment is 
'If we failed to fetch policy we try again using
                                                                      the 
legacy default in case we are fetching policy
                                                                      from a 
hub that is not serving mastefiles via a
                                                                      shortcut.'
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Errors 
encountered when actuating files promise '/var/lib/cfengine3/inputs'
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Method 
'failsafe_cfe_internal_update' failed in some repairs
    Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent)  TRUST 
FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
    Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent)  No suitable 
server found for '/var/lib/cfengine3/inputs/cf_promises_validated'
    Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent)  Promise 
belongs to bundle 'cfe_internal_update_policy_cpv' in file 
'/var/lib/cfengine3/inputs/cfe_internal/update/update_policy.cf' near line 229
    Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent)  Comment is 
'Check whether a validation stamp is available for a new policy update to 
reduce the distributed load'
    Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent)  Errors 
encountered when actuating files promise 
'/var/lib/cfengine3/inputs/cf_promises_validated'
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]:    error: ::1>             
SSL_write: underlying network error (Broken pipe)
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>      
       SSL_write: underlying network error (Broken pipe)
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]:   notice: ::1>             
Connection was hung up!
    Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>      
       Connection was hung up!
    Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent)  Method 
'cfe_internal_update_policy_cpv' failed in some repairs
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Q: 
".../cf-agent" -f /":    error: TRUST FAILED, server presented untrusted key: 
MD5=42d62c2c4be843a78dafffb40dd40277
                                                  Q: ".../cf-agent" -f /":    
error: No suitable server found for 
'/var/lib/cfengine3/inputs/cf_promises_validated'
                                                  Q: ".../cf-agent" -f /":    
error: Promise belongs to bundle 'cfe_internal_update_policy_cpv' in file 
'/var/lib/cfengine3/inputs/cfe_internal/update/update_policy.cf' near line 229
                                                  Q: ".../cf-agent" -f /":    
error: Comment is 'Check whether a validation stamp is available for a new 
policy update to reduce the distributed load'
                                                  Q: ".../cf-agent" -f /":    
error: Errors encountered when actuating files promise 
'/var/lib/cfengine3/inputs/cf_promises_validated'
                                                  Q: ".../cf-agent" -f /":    
error: Method 'cfe_internal_update_policy_cpv' failed in some repairs
    Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  R: Built-in 
failsafe policy triggered

-- 
Guido Berhoerster

Bug#1041323: CFEngine agent connection errors

Reply via email to