Do you think that a build with dynamic linking on Centos 5.3 then os
updates to Centos 5.5 and the 3.1.2 build dynamic on Centos 5.5 could
introduce some other conditions?
Below is the what I see (minus the verbose stuff):
client copy of servers key:
[r...@client1 ppkeys]# md5sum root-10.10.10.10.pub
c3760abd974072e744537ab32a7a79ee root-10.10.10.10.pub
[r...@client1 ppkeys]# md5sum root-policysrv1.example.com.pub
c3760abd974072e744537ab32a7a79ee root-policysrv1.example.com
server keys:
[r...@policysrv1 ppkeys]# md5sum localhost.pub
c3760abd974072e744537ab32a7a79ee localhost.pub
Client running:
BAD: Unspecified server refusal (see verbose server output)
!! Authentication dialogue with policysrv1.example.com failed
Unable to establish connection with policysrv1.example.com
-> No suitable server responded to hail
Promise (version not specified) belongs to bundle 'update' in file
'/var/cfengine/inputs/update.cf' near line 45
Comment: Update the base inputs configs for client
Server logs:
Jan 10 16:05:05 policysrv1 cf-serverd[8463]: Private decrypt failed =
padding check failed
Jan 10 16:05:05 policysrv1 cf-serverd[8463]: REFUSAL of request from
connecting host: (SAUTH y 256 37 c)
Jan 10 16:05:05 policysrv1 cf-serverd[8463]: Private decrypt failed =
padding check failed
Jan 10 16:05:05 policysrv1 cf-serverd[8463]: REFUSAL of request from
connecting host: (SAUTH y 256 37 c)
Jan 10 16:05:05 policysrv1 cf-serverd[8463]: Private decrypt failed =
padding check failed
Jan 10 16:05:05 policysrv1 cf-serverd[8463]: REFUSAL of request from
connecting host: (SAUTH y 256 37 c)
So far this has been consistent on my updates. Removing the keys and
recreating and cleaning out the server copies has been working.
Reminder the other part to this is that my server are on 3.0.5p1.
After the binary updates I do see this structure:
[r...@client1 ppkeys]# ll
total 32
-rw------- 1 root root 1743 Jan 5 10:20 localhost.priv
-rw------- 1 root root 426 Jan 5 10:20 localhost.pub
-rw------- 1 root root 426 Jan 10 15:46 root-10.10.10.10.pub
-rw------- 1 root root 426 Aug 25 09:42 root-10.10.10.11.pub
-rw------- 1 root root 426 Aug 25 09:42 root-policysrv1.example.com.pub
-rw------- 1 root root 426 Aug 25 09:42 root-policysrv2.example.com.pub
-rw------- 1 root root 426 Jan 10 15:46
root-MD5=b8d11c133a1bd29d369cd26632761247.pub
-rw------- 1 root root 426 Aug 25 09:42 root-.pub
[r...@client1 ppkeys]#
What is the root-.pub?
cf-key -s
[r...@client1 ppkeys]# cf-key -s
IP Name Key
10.10.10.10 policysrv1.innovate.ibm.com MD5=b8d11c133a1bd29d369cd
Total Entries: 1
[r...@client1 ppkeys]#
As I am writing this I noticed if I move the root-.pub out of the way
its happy again and talks nice with the server
Any thoughts? I can add a cleanup i the RPM or via local policy to
remove the root-.pub but I guess it might be good to see how this key
is created... Are there any verbose option on the ppkey update
process?
- Gusto
On Mon, Jan 10, 2011 at 3:04 PM, Erlend Leganger
<erlend.legan...@gmail.com> wrote:
> I went from 3.0.2 to 3.1.2 without any key issues - I haven't run cf-key on
> any of the existing clients, so this upgrade was painless (with respect to
> keys that is; static vs dynamic linking was quite another matter...).
> - Erlend
>
>
> On 10 January 2011 18:28, Gusto <gustofw...@gmail.com> wrote:
>>
>> Hi Folks,
>>
>> I have a ppkeys question: Has anyone had issues with 3.0.4/3.0.5p1
>> generated keys and the new 3.1.2 keys updates? Does the 3.1.0+ new
>> hash change the key so the server's public copy of the client no
>> longer matches? Ideally I am going to move everything just was looking
>> for others experiences...
>>
>> I have an established environment with 200+ machines which has grown
>> from 3.0.1 and is mostly at 3.0.5p1 at this point. I am testing the
>> update to the 3.1.2 on the clients (servers still at 3.0.5p1) but I
>> see some key issues preventing me from just making a large update.
>>
>> My current solution is to just removing the old keys from client and
>> server then run cf-key to get things working again. When we commit to
>> the update first to update are the main policy servers then the
>> clients. Ideally I would like to just update the binaries leaving keys
>> in place if possible. Before taking the 3.1.2 plunge I wanted to ask
>> if anyone has done similar site updates?
>>
>> Best Regards,
>> Gusto
>> _______________________________________________
>> Help-cfengine mailing list
>> Help-cfengine@cfengine.org
>> https://cfengine.org/mailman/listinfo/help-cfengine
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
>
>
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
