Hi Daniel , Thanks a bunch! I thought something was missing or needed an update in genimage and those scripts, but I got tired last night and left it to do further checking in the morning. Its great that you found the issue and have a fix for it. I am wondering why the openssl extensions needed in the first place to generate the certificate. I mean here ( from your github ): openssl req -config $XCATCADIR/openssl.cnf -new -key client-key.pem -out client-req.pem -extensions usr_cert -subj "/CN=$CNA" -batch
I will test it out and let you know soon how it goes. Thanks again! --imam On Fri, Jan 3, 2025 at 3:47 AM Daniel Hilst via xCAT-user < xcat-user@lists.sourceforge.net> wrote: > Hi Iman, I had the same problem > > I was assembling some patches to send to the upstream but I didn't finish > it, here:https://gist.github.com/dhilst/90bc7e6bf0c4dab10cb0e923297eba0f > > There are two patches of for the certificate scripts which should solve > the problem, the patch for genimage, I'm not sure if it is required or not > yet > > I hope this helps > > Regards, > Daniel > > > > > > > > ------------------------------ > *From:* Imam Toufique <techie...@gmail.com> > *Sent:* Friday, January 3, 2025 4:13 AM > *To:* xCAT Users Mailing list <xcat-user@lists.sourceforge.net> > *Subject:* Re: [xcat-user] xCAT latest version install failure in Rocky > 9.5 > > Hello, > > After looking further , it looks to me that the installer fails to do the > smoke test since the SSL client certificates are not installed .. > > This script , /opt/xcat/share/xcat/scripts/setup-local-client.sh is > probably the script that generates the client certs in /root/.xcat > directory . > > When it runs , it seems to be failing here: > > openssl req -config /etc/xcat/ca/openssl.cnf -new -key client-key.pem -out > client-req.pem -extensions usr_cert -subj /CN=root > Error adding request extensions from section usr_cert > 001EDAAFD77F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no > issuer certificate:crypto/x509/v3_akid.c:156: > 001EDAAFD77F0000:error:11000080:X509 V3 > routines:X509V3_EXT_nconf_int:error in > extension:crypto/x509/v3_conf.c:48:section=usr_cert, > name=authorityKeyIdentifier, value=keyid,issuer > > So, the client-req.pem file creation fails and then the rest of the file > creations fail . > > I am not sure what could be the problem in openssl.cnf file in the > [usr_cert] section. Something in that section openssl does not like , > that's my suspicion . I compared it to a installation done in Rocky 8.10 OS > , and openssl.cnf is the same file as the new installation. Only > difference I see is openssl version changed in Rocky 9 linux. That might be > the cause of it? > > Has anyone installed the latest xcat in RHEL 9 or Rocky 9 ? > > thanks again. > > On Thu, Jan 2, 2025 at 10:09 PM Imam Toufique <techie...@gmail.com> wrote: > > Hello, > Happy new year to everyone! > > I am attempting to do a new install with the go-xcat script in Rocky 9.5 > . And it is not happy towards the end of installation. > > Here is the error I see: > > yaboot-xcat 1.3.17-rc1 1.3.17-rc1 > > .======== > '-> test_case_000_version ... returned with 0 > > .-> test_case_001_xcatd > '======== > .======== > '-> test_case_001_xcatd ... returned with 0 > > .-> test_case_002_lsdef > '======== > go-xcat: Attempt of run `lsdef' failed > .======== > '-> test_case_002_lsdef ... returned with 25 > > Boo-boo > ======= > > Something went wrong. :( > > It looks like xcatd starts though > [root@poc-mgmt ~]# systemctl status xcatd > ● xcatd.service - xCAT management service > Loaded: loaded (/usr/lib/systemd/system/xcatd.service; enabled; > preset: disabled) > Active: active (running) since Thu 2025-01-02 22:01:12 PST; 42s ago > Main PID: 142694 (xcatd: SSL list) > Tasks: 7 (limit: 1646266) > Memory: 70.2M > CPU: 2.352s > CGroup: /system.slice/xcatd.service > ├─142693 /usr/sbin/in.tftpd -v -l -s /tftpboot -m > /etc/tftpmapfile4xcat.conf > ├─142694 "xcatd: SSL listener" > ├─142695 "xcatd: DB Access" > ├─142696 "xcatd: UDP listener" > ├─142697 "xcatd: install monitor" > ├─142698 "xcatd: Discovery worker" > └─142699 "xcatd: Command log writer" > > Jan 02 22:01:10 poc-mgmt systemd[1]: Starting xCAT management service... > Jan 02 22:01:11 poc-mgmt xcat[142664]: xcatd is going to start... > Jan 02 22:01:12 poc-mgmt xcat[142697]: xcatd: install monitor process > 142697 start > Jan 02 22:01:12 poc-mgmt xcat[142696]: xcatd: UDP listener process 142696 > start > Jan 02 22:01:12 poc-mgmt xcat[142699]: xcatd: Command log writer process > 142699 start > Jan 02 22:01:12 poc-mgmt xcat[142698]: xcatd: Discovery worker process > 142698 start > > But when I want to do any look ups then the SSL certificates are causing > issues: > > [root@poc-mgmt ~]# tabdump site > Unable to open socket connection to xcatd daemon on localhost:3001. > Verify that the xcatd daemon is running and that your SSL setup is correct. > Connection failure: at /opt/xcat/lib/perl/xCAT/Client.pm line 282. > > > That tells me the installation script must have had more things to do and > it did not complete those steps. > > Any help would be appreciated! > > Thanks > --imam > > > > -- > Regards, > *Imam Toufique* > *213-700-5485* > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user > -- Regards, *Imam Toufique* *213-700-5485*
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
