Menu
▾
▴
Re: [munin-users] tls does not work for me
|
From: Michael R. <mic...@gm...> - 2008-02-23 19:01:37
|
On Wednesday 20 February 2008 18:36, Bjørn Ruberg wrote: > Michael Renner wrote: > > [...] > > > Like shown in > > http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php I > > made two keys: Moin, I am a litle bit further. > [...] > > > ----- > > Country Name (2 letter code) [AU]:DE > > State or Province Name (full name) [Some-State]:Germany > > Locality Name (eg, city) []:Munich > > Organization Name (eg, company) [Internet Widgits Pty Ltd]: > > Organizational Unit Name (eg, section) []: > > Common Name (eg, YOUR name) []:Michael Renner > > When using certificates for authenticating servers or clients the > "common name" must match the FQDN of the server. I shouldn't be > necessary when running in what I called "non-paranoid" mode, but I guess > it won't hurt either. I made a new key with these settings. In munin-node.log there is this message (charon.mtr.mynet is the FQDN): TLS Notice: Cipher `AES256-SHA'. TLS Notice: client cert: Subject Name: /C=DE/ST=Germay/L=Munich/O=Internet Widgits Pty Ltd/CN=charon.mtr.mynet/ema...@gm...\nIssuer Name: /C=DE/ST=Germay/L=Munich/O=Internet Widgits Pty Ltd/CN=charon.mtr.mynet/ema...@gm... > > Feb 20 16:00:16 [5577] - [TLS] TLS enabled. > > Feb 20 16:00:16 [5577] - [TLS] Cipher `(NONE)'. > > Feb 20 16:00:16 [5577] - [TLS] client cert: Subject Name: > > undefined\nIssuer Name: undefined > > The above error, "Subject Name: undefined\nIssuer Name: undefined" > originates from Net::SSLeay. From the Net::SSLeay manual page, the > message indicates that the client certificate, used by munin-update, is > missing/not accessible/broken. You should check the file permissions on > these files as well. File perms are 444: -r--r--r-- 1 munin root 891 2008-02-20 20:03 /etc/munin/ssl-cert-snakeoil.key -r--r--r-- 1 munin root 1322 2008-02-20 20:03 /etc/munin/ssl-cert-snakeoil.pem [...] > > And in the munin-node.conf: > > 2008/02/20-16:00:03 CONNECT TCP Peer: "127.0.0.1:2750" Local: > > "127.0.0.1:4949" 2008/02/20-16:00:04 [5578] TLS Notice: No key file > > "/etc/munin/munin-node.pem". Continuing without private key. > > 2008/02/20-16:00:04 [5578] TLS Notice: No certificate file > > "/etc/munin/munin-node.pem". Continuing without certificate. > > > > This is confusing, because I did not mentioned > > '/etc/munin/munin-node.pem' in any config file. > > You don't need to. When you enable TLS, munin-node looks for a > certificate (even though it's not really required to enforce TLS), and > "/etc/munin/munin-node.pem" is the default file path when not defined > using the directive "tls_certificate". > > This behaviour is documented in "perldoc munin.conf" (still from the svn > trunk). The identical directives are used in munin-node.conf but that > part of the documentation hasn't made its way to "perldoc > munin-node.conf" yet. Work in progress. > > > As far as I saw in > > http://munin.projects.linpro.no/wiki/MuninTLSSetup is the key_file only > > required in the 'complete certificate chain' mode. > > And that is correct. It is not required, but munin-node likes to check > anyway. > > > Anyhow: I i adjusted munin-node.conf to > > tls enabled > > tls_private_key /etc/munin/ssl-cert-snakeoil.key > > tls_certificate /etc/munin/ssl-cert-snakeoil.pem > > > > Now it is working. > > I was also working earlier, according to yourself: > > I enabled tls in munin-node.conf (and restart). This is working, I > > checked it with telnet to port 4949: I require TLS. Closing. > > > > > > But how? The doku does not mention these two settings and > > as far as I see through encryption it is not required. > > Yes, and that is still true. They are not *required*. The communication > is just as encrypted without them. Use a network sniffer to verify. You > just think you need the key files because of the messages that appeared > in the log, but those messages were warnings and not critical errors. Hm, so I removed the key names from munin-node.conf, I just left 'tls enabled'. But now the fetch process fails: munin-update.log: Feb 23 19:50:33 [2979] - [TLS] TLS enabled. Feb 23 19:50:33 [2979] - [TLS] Cipher `(NONE)'. Feb 23 19:50:33 [2979] - [TLS] client cert: Subject Name: undefined\nIssuer Name: undefined Feb 23 19:50:33 [2979] - [WARNING] in write_socket_single: 2979: 1 - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure Feb 23 19:50:41 [2978] - Reaping child: charon -> charon. Feb 23 19:50:41 [2978] - Attempting to use old configuration for charon -> charon. Feb 23 19:50:42 [2978] - Munin-update finished (21.50 sec) munin-node.log: 2008/02/23-19:50:13 CONNECT TCP Peer: "192.168.5.53:55214" Local: "192.168.5.211:4949" 2008/02/23-19:50:15 [2974] ERROR: Client did not request TLS. Closing. 2008/02/23-19:50:22 CONNECT TCP Peer: "127.0.0.1:1839" Local: "127.0.0.1:4949" 2008/02/23-19:50:24 [2980] TLS Notice: No key file "/etc/munin/munin-node.pem". Continuing without private key. 2008/02/23-19:50:24 [2980] TLS Notice: No certificate file "/etc/munin/munin-node.pem". Continuing without certificate. 2008/02/23-19:50:33 [2980] Connection timed out. timeout at /usr/sbin/munin-node line 556, <STDIN> line 1. The node close the connection because the master did not request TSL. The master has only this warning .... What can I try next? Thanks -- |Michael Renner E-mail: mic...@gm... | |D-81541 Munich Germany ICQ: #112280325 | |Germany Don't drink as root! ESC:wq |
