[ClusterLabs] Node replies with 401 ssl connect error

Klaus Wenninger kwenning at redhat.com
Wed Jan 15 07:22:01 EST 2020 

On 1/15/20 12:31 PM, Raffaele Pantaleoni wrote:
>
> Hello,
>
> I'm trying to setup a cluster made up by three servers.
>
> Two of them runs on Debian 10 and they are already part of the cluster
> and marked online.
>
> I can't join the third machine running on Debian 9.
>
> I can see the following error when trying to authenticate the third
> machine:
>
> pcs host auth vracktenjin
>
> Username: hacluster
> Password:
> Running: /usr/bin/ruby -I/usr/share/pcsd/ /usr/share/pcsd/pcsd-cli.rb auth
> Environment:
>   HOME=/root
>   LANG=en_US.UTF-8
>   LC_ALL=C
>   LOGNAME=root
>   MAIL=/var/mail/root
>   PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>   PCSD_DEBUG=true
>   PCSD_NETWORK_TIMEOUT=60
>   PWD=/root
>   SHELL=/bin/bash
>   SHLVL=1
>   SSH_CLIENT=xx.xx.xx.xx 1612 22
>   SSH_CONNECTION=xx.xx.xx.xx 1612 46.105.107.214 22
>   SSH_TTY=/dev/pts/0
>   TERM=xterm
>   USER=root
>   XDG_RUNTIME_DIR=/run/user/0
>   XDG_SESSION_CLASS=user
>   XDG_SESSION_ID=19
>   XDG_SESSION_TYPE=tty
>   _=/usr/sbin/pcs
> --Debug Input Start--
> {"nodes": {"vracktenjin": {"dest_list": [{"addr": "vracktenjin",
> "port": 2224}], "username": "hacluster", "password": "INE -> S_IDLE |
> input=I_TE_SUCCESS cause=C_FSA_INTERNAL origin=notify_crmd"}}}
> --Debug Input End--
>
>
> Finished running: /usr/bin/ruby -I/usr/share/pcsd/
> /usr/share/pcsd/pcsd-cli.rb auth
> Return value: 0
> --Debug Stdout Start--
> {
>   "status": "ok",
>   "data": {
>     "auth_responses": {
>       "vracktenjin": {
>         "status": "noresponse"
>       }
>     },
>     "sync_successful": true,
>     "sync_nodes_err": [
>
>     ],
>     "sync_responses": {
>     }
>   },
>   "log": [
>     "I, [2020-01-15T11:22:20.649294 #17621]  INFO -- : PCSD Debugging
> enabled\n",
>     "D, [2020-01-15T11:22:20.649320 #17621] DEBUG -- : Detected
> systemd is in use\n",
>     "I, [2020-01-15T11:22:20.699475 #17621]  INFO -- : Connecting to:
> https://vracktenjin:2224/remote/auth\n",
>     "I, [2020-01-15T11:22:20.704920 #17621]  INFO -- : No response
> from: vracktenjin request: auth, error: ssl_connect_error\n"
>   ]
> }
>
> --Debug Stdout End--
> --Debug Stderr Start--
>
> --Debug Stderr End--
>
> Error: Unable to communicate with vracktenjin
>
> And the follwing error on the target machine pcsd.log file:
>
> ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0
> state=error: sslv3 alert handshake failure
>         /usr/lib/ruby/2.3.0/openssl/ssl.rb:404:in `accept'
>
> Debian 10 versions:
>
>     corosync 3.0.1
>
>     pacemaker 2.0.1
>
> Debian 9 versions:
>
>     corosync 2.4.2
>
>     pacemaker 1.1.6
>
> Any hints?
>
What you are seeing looks like issues of different versions
of pcsd connecting.
But even if that would work this version mix wouldn't
make you happy.
Left alone corosync 2 & 3 afaik aren't wire-compatible
even if you are using udpu on 3 (knet recommended).
In general key-requirements have been raised with
pacemaker 2 and, and, ....
Only place where you might be able to mix these
versions is if you are e.g. using Debian 10 for the
cluster-nodes and Debian 9 on a remote node.

Regards,
Klaus
>
> (I previously setup a six machines test plant with no errors like this
> one. All those machines are running on Debian 9)
>
> Thank you!
>
> Raffaele Pantaleoni
>
> /
> /
>
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20200115/0efcf491/attachment-0001.html>

More information about the Users mailing list