The root-.pub file seems like a bug, please report it if you are able to reproduce the creation of it (bug.cfengine.com). Also include which hosts key it really is (compare its contents with the other keys).
Thanks. --Eystein On 01/10/2011 10:20 PM, Gusto wrote: > Do you think that a build with dynamic linking on Centos 5.3 then os > updates to Centos 5.5 and the 3.1.2 build dynamic on Centos 5.5 could > introduce some other conditions? > > Below is the what I see (minus the verbose stuff): > client copy of servers key: > [r...@client1 ppkeys]# md5sum root-10.10.10.10.pub > c3760abd974072e744537ab32a7a79ee root-10.10.10.10.pub > [r...@client1 ppkeys]# md5sum root-policysrv1.example.com.pub > c3760abd974072e744537ab32a7a79ee root-policysrv1.example.com > > server keys: > [r...@policysrv1 ppkeys]# md5sum localhost.pub > c3760abd974072e744537ab32a7a79ee localhost.pub > > > Client running: > BAD: Unspecified server refusal (see verbose server output) > !! Authentication dialogue with policysrv1.example.com failed > Unable to establish connection with policysrv1.example.com > -> No suitable server responded to hail > Promise (version not specified) belongs to bundle 'update' in file > '/var/cfengine/inputs/update.cf' near line 45 > Comment: Update the base inputs configs for client > > Server logs: > Jan 10 16:05:05 policysrv1 cf-serverd[8463]: Private decrypt failed = > padding check failed > Jan 10 16:05:05 policysrv1 cf-serverd[8463]: REFUSAL of request from > connecting host: (SAUTH y 256 37 c) > Jan 10 16:05:05 policysrv1 cf-serverd[8463]: Private decrypt failed = > padding check failed > Jan 10 16:05:05 policysrv1 cf-serverd[8463]: REFUSAL of request from > connecting host: (SAUTH y 256 37 c) > Jan 10 16:05:05 policysrv1 cf-serverd[8463]: Private decrypt failed = > padding check failed > Jan 10 16:05:05 policysrv1 cf-serverd[8463]: REFUSAL of request from > connecting host: (SAUTH y 256 37 c) > > So far this has been consistent on my updates. Removing the keys and > recreating and cleaning out the server copies has been working. > Reminder the other part to this is that my server are on 3.0.5p1. > > After the binary updates I do see this structure: > [r...@client1 ppkeys]# ll > total 32 > -rw------- 1 root root 1743 Jan 5 10:20 localhost.priv > -rw------- 1 root root 426 Jan 5 10:20 localhost.pub > -rw------- 1 root root 426 Jan 10 15:46 root-10.10.10.10.pub > -rw------- 1 root root 426 Aug 25 09:42 root-10.10.10.11.pub > -rw------- 1 root root 426 Aug 25 09:42 root-policysrv1.example.com.pub > -rw------- 1 root root 426 Aug 25 09:42 root-policysrv2.example.com.pub > -rw------- 1 root root 426 Jan 10 15:46 > root-MD5=b8d11c133a1bd29d369cd26632761247.pub > -rw------- 1 root root 426 Aug 25 09:42 root-.pub > [r...@client1 ppkeys]# > > What is the root-.pub? > > cf-key -s > [r...@client1 ppkeys]# cf-key -s > IP Name Key > 10.10.10.10 policysrv1.innovate.ibm.com MD5=b8d11c133a1bd29d369cd > Total Entries: 1 > [r...@client1 ppkeys]# > > As I am writing this I noticed if I move the root-.pub out of the way > its happy again and talks nice with the server > > Any thoughts? I can add a cleanup i the RPM or via local policy to > remove the root-.pub but I guess it might be good to see how this key > is created... Are there any verbose option on the ppkey update > process? > > - Gusto > > On Mon, Jan 10, 2011 at 3:04 PM, Erlend Leganger > <erlend.legan...@gmail.com> wrote: >> I went from 3.0.2 to 3.1.2 without any key issues - I haven't run cf-key on >> any of the existing clients, so this upgrade was painless (with respect to >> keys that is; static vs dynamic linking was quite another matter...). >> - Erlend >> >> >> On 10 January 2011 18:28, Gusto<gustofw...@gmail.com> wrote: >>> >>> Hi Folks, >>> >>> I have a ppkeys question: Has anyone had issues with 3.0.4/3.0.5p1 >>> generated keys and the new 3.1.2 keys updates? Does the 3.1.0+ new >>> hash change the key so the server's public copy of the client no >>> longer matches? Ideally I am going to move everything just was looking >>> for others experiences... >>> >>> I have an established environment with 200+ machines which has grown >>> from 3.0.1 and is mostly at 3.0.5p1 at this point. I am testing the >>> update to the 3.1.2 on the clients (servers still at 3.0.5p1) but I >>> see some key issues preventing me from just making a large update. >>> >>> My current solution is to just removing the old keys from client and >>> server then run cf-key to get things working again. When we commit to >>> the update first to update are the main policy servers then the >>> clients. Ideally I would like to just update the binaries leaving keys >>> in place if possible. Before taking the 3.1.2 plunge I wanted to ask >>> if anyone has done similar site updates? >>> >>> Best Regards, >>> Gusto >>> _______________________________________________ >>> Help-cfengine mailing list >>> Help-cfengine@cfengine.org >>> https://cfengine.org/mailman/listinfo/help-cfengine >> >> >> _______________________________________________ >> Help-cfengine mailing list >> Help-cfengine@cfengine.org >> https://cfengine.org/mailman/listinfo/help-cfengine >> >> > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@cfengine.org > https://cfengine.org/mailman/listinfo/help-cfengine _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
