[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1041323: CFEngine agent connection errors

On Thu, 20 Jul 2023 11:25:09 +0200 Guido Berhoerster <guido@berhoerster.name> wrote:
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  No suitable server found for '/var/lib/cfengine3/inputs'
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Promise belongs to bundle 'failsafe_cfe_internal_update' in file '/var/lib/cfengine3/inputs/failsafe.cf' near line 121
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Errors encountered when actuating files promise '/var/lib/cfengine3/inputs'
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]:    error: ::1>             SSL_write: underlying network error (Broken pipe)
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>             SSL_write: underlying network error (Broken pipe)
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]:   notice: ::1>             Connection was hung up!
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>             Connection was hung up!
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  No suitable server found for '/var/lib/cfengine3/modules'
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Promise belongs to bundle 'failsafe_cfe_internal_update' in file '/var/lib/cfengine3/inputs/failsafe.cf' near line 130
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Errors encountered when actuating files promise '/var/lib/cfengine3/modules'
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]:    error: ::1>             SSL_write: underlying network error (Broken pipe)
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>             SSL_write: underlying network error (Broken pipe)
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]:   notice: ::1>             Connection was hung up!
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>             Connection was hung up!
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]:    error: ::1>             Connection was hung up while receiving line:
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>             Connection was hung up while receiving line:
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]:   notice: ::1>             Client closed connection early! He probably does not trust our key...
>     Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server)  ::1>             Client closed connection early! He probably does not trust our key...
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  No suitable server found for '/var/lib/cfengine3/inputs'
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Promise belongs to bundle 'failsafe_cfe_internal_update' in file '/var/lib/cfengine3/inputs/failsafe.cf' near line 144
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Comment is 'If we failed to fetch policy we try again using
>                                                                       the legacy default in case we are fetching policy
>                                                                       from a hub that is not serving mastefiles via a
>                                                                       shortcut.'
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Errors encountered when actuating files promise '/var/lib/cfengine3/inputs'
>     Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent)  Method 'failsafe_cfe_internal_update' failed in some repairs
>     Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent)  TRUST FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277
>     Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent)  No suitable server found for '/var/lib/cfengine3/inputs/cf_promises_validated'
>     Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent)  Promise belongs to bundle 'cfe_internal_update_policy_cpv' in file '/var/lib/cfengine3/inputs/cfe_internal/update/update_policy.cf' near line 229
>     Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent)  Comment is 'Check whether a validation stamp is available for a new policy update to reduce the distributed load'


The untrusted server key issue can be fixed by following the procedure on 
manually establishing trust described in
https://cfengine.com/blog/2015/securely-deploying-cfengine-on-untrusted-networks/#on-each-client-we-deploy

However, checking back on bullseye this error does not show up because cf-execd
and other daemons are not running, the init script looks at
/etc/default/cfengine3 where by default everything is disabled.

So I suppose the solution is to simply not enable the systemd services by 
default.

-- 
Guido Berhoerster
Reply to: