Bug#1041323: CFEngine agent connection errors
On Thu, 20 Jul 2023 11:25:09 +0200 Guido Berhoerster <guido@berhoerster.name> wrote:
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) No suitable server found for '/var/lib/cfengine3/inputs'
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Promise belongs to bundle 'failsafe_cfe_internal_update' in file '/var/lib/cfengine3/inputs/failsafe.cf' near line 121
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Errors encountered when actuating files promise '/var/lib/cfengine3/inputs'
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: error: ::1> SSL_write: underlying network error (Broken pipe)
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> SSL_write: underlying network error (Broken pipe)
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: notice: ::1> Connection was hung up!
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> Connection was hung up!
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) No suitable server found for '/var/lib/cfengine3/modules'
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Promise belongs to bundle 'failsafe_cfe_internal_update' in file '/var/lib/cfengine3/inputs/failsafe.cf' near line 130
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Errors encountered when actuating files promise '/var/lib/cfengine3/modules'
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: error: ::1> SSL_write: underlying network error (Broken pipe)
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> SSL_write: underlying network error (Broken pipe)
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: notice: ::1> Connection was hung up!
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> Connection was hung up!
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: error: ::1> Connection was hung up while receiving line:
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> Connection was hung up while receiving line:
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: notice: ::1> Client closed connection early! He probably does not trust our key...
> Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> Client closed connection early! He probably does not trust our key...
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) No suitable server found for '/var/lib/cfengine3/inputs'
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Promise belongs to bundle 'failsafe_cfe_internal_update' in file '/var/lib/cfengine3/inputs/failsafe.cf' near line 144
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Comment is 'If we failed to fetch policy we try again using
> the legacy default in case we are fetching policy
> from a hub that is not serving mastefiles via a
> shortcut.'
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Errors encountered when actuating files promise '/var/lib/cfengine3/inputs'
> Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Method 'failsafe_cfe_internal_update' failed in some repairs
> Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
> Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) No suitable server found for '/var/lib/cfengine3/inputs/cf_promises_validated'
> Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) Promise belongs to bundle 'cfe_internal_update_policy_cpv' in file '/var/lib/cfengine3/inputs/cfe_internal/update/update_policy.cf' near line 229
> Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) Comment is 'Check whether a validation stamp is available for a new policy update to reduce the distributed load'
The untrusted server key issue can be fixed by following the procedure on
manually establishing trust described in
https://cfengine.com/blog/2015/securely-deploying-cfengine-on-untrusted-networks/#on-each-client-we-deploy
However, checking back on bullseye this error does not show up because cf-execd
and other daemons are not running, the init script looks at
/etc/default/cfengine3 where by default everything is disabled.
So I suppose the solution is to simply not enable the systemd services by
default.
--
Guido Berhoerster
Reply to: