[ClusterLabs] Node replies with 401 ssl connect error
Jan Friesse
jfriesse at redhat.com
Wed Jan 15 10:31:15 EST 2020
Klaus Wenninger napsal(a):
> On 1/15/20 12:31 PM, Raffaele Pantaleoni wrote:
>>
>> Hello,
>>
>> I'm trying to setup a cluster made up by three servers.
>>
>> Two of them runs on Debian 10 and they are already part of the cluster
>> and marked online.
>>
>> I can't join the third machine running on Debian 9.
>>
>> I can see the following error when trying to authenticate the third
>> machine:
>>
>> pcs host auth vracktenjin
>>
>> Username: hacluster
>> Password:
>> Running: /usr/bin/ruby -I/usr/share/pcsd/ /usr/share/pcsd/pcsd-cli.rb auth
>> Environment:
>> HOME=/root
>> LANG=en_US.UTF-8
>> LC_ALL=C
>> LOGNAME=root
>> MAIL=/var/mail/root
>> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>> PCSD_DEBUG=true
>> PCSD_NETWORK_TIMEOUT=60
>> PWD=/root
>> SHELL=/bin/bash
>> SHLVL=1
>> SSH_CLIENT=xx.xx.xx.xx 1612 22
>> SSH_CONNECTION=xx.xx.xx.xx 1612 46.105.107.214 22
>> SSH_TTY=/dev/pts/0
>> TERM=xterm
>> USER=root
>> XDG_RUNTIME_DIR=/run/user/0
>> XDG_SESSION_CLASS=user
>> XDG_SESSION_ID=19
>> XDG_SESSION_TYPE=tty
>> _=/usr/sbin/pcs
>> --Debug Input Start--
>> {"nodes": {"vracktenjin": {"dest_list": [{"addr": "vracktenjin",
>> "port": 2224}], "username": "hacluster", "password": "INE -> S_IDLE |
>> input=I_TE_SUCCESS cause=C_FSA_INTERNAL origin=notify_crmd"}}}
>> --Debug Input End--
>>
>>
>> Finished running: /usr/bin/ruby -I/usr/share/pcsd/
>> /usr/share/pcsd/pcsd-cli.rb auth
>> Return value: 0
>> --Debug Stdout Start--
>> {
>> "status": "ok",
>> "data": {
>> "auth_responses": {
>> "vracktenjin": {
>> "status": "noresponse"
>> }
>> },
>> "sync_successful": true,
>> "sync_nodes_err": [
>>
>> ],
>> "sync_responses": {
>> }
>> },
>> "log": [
>> "I, [2020-01-15T11:22:20.649294 #17621] INFO -- : PCSD Debugging
>> enabled\n",
>> "D, [2020-01-15T11:22:20.649320 #17621] DEBUG -- : Detected
>> systemd is in use\n",
>> "I, [2020-01-15T11:22:20.699475 #17621] INFO -- : Connecting to:
>> https://vracktenjin:2224/remote/auth\n",
>> "I, [2020-01-15T11:22:20.704920 #17621] INFO -- : No response
>> from: vracktenjin request: auth, error: ssl_connect_error\n"
>> ]
>> }
>>
>> --Debug Stdout End--
>> --Debug Stderr Start--
>>
>> --Debug Stderr End--
>>
>> Error: Unable to communicate with vracktenjin
>>
>> And the follwing error on the target machine pcsd.log file:
>>
>> ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0
>> state=error: sslv3 alert handshake failure
>> /usr/lib/ruby/2.3.0/openssl/ssl.rb:404:in `accept'
>>
>> Debian 10 versions:
>>
>> corosync 3.0.1
>>
>> pacemaker 2.0.1
>>
>> Debian 9 versions:
>>
>> corosync 2.4.2
>>
>> pacemaker 1.1.6
>>
>> Any hints?
>>
> What you are seeing looks like issues of different versions
> of pcsd connecting.
> But even if that would work this version mix wouldn't
> make you happy.
> Left alone corosync 2 & 3 afaik aren't wire-compatible
> even if you are using udpu on 3 (knet recommended).
> In general key-requirements have been raised with
> pacemaker 2 and, and, ....
> Only place where you might be able to mix these
> versions is if you are e.g. using Debian 10 for the
> cluster-nodes and Debian 9 on a remote node.
And/or qnetd node. But even there may be problems with enabled/supported
crypto ciphers/key lengths/...
Regards,
Honza
>
> Regards,
> Klaus
>>
>> (I previously setup a six machines test plant with no errors like this
>> one. All those machines are running on Debian 9)
>>
>> Thank you!
>>
>> Raffaele Pantaleoni
>>
>> /
>> /
>>
>>
>> _______________________________________________
>> Manage your subscription:
>> https://lists.clusterlabs.org/mailman/listinfo/users
>>
>> ClusterLabs home: https://www.clusterlabs.org/
>
>
>
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/
>
More information about the Users
mailing list