#3286 SSL setup is not working for new xCAT installation

[Guang Cheng Li]

code checkin 14875 and 14876 seems to break xCAT installation, the SSL setup is wrong and the xcatclient could not communicate with xcatd. Here is the error:

Total 1.3 MB/s | 28 MB 00:21
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : 4:perl-xCAT-2.8-snap201301150402.noarch 1/10
Installing : 4:xCAT-client-2.8-snap201301150402.noarch 2/10
Installing : 4:xCAT-server-2.8-snap201301150402.noarch 3/10
Installing : 1:xCAT-genesis-base-x86_64-2.8-snap201301100835.noarch 4/10
Installing : 1:xCAT-genesis-scripts-x86_64-2.8-snap201301140009.noarch 5/10
Non-fatal POSTIN scriptlet failure in rpm package 1:xCAT-genesis-scripts-x86_64-2.8-snap201301140009.noarch
mknb x86_64...
Connection failure: IO::Socket::INET: connect: Connection refused at /opt/xcat/lib/perl/xCAT/Client.pm line 200.
Unable to open socket connection to xcatd daemon on localhost:3001.
Verify that the xcatd daemon is running and that your SSL setup is correct.
warning: %post(xCAT-genesis-scripts-x86_64-1:2.8-snap201301140009.noarch) scriptlet failed, exit status 111
Installing : syslinux-xcat-3.86-2.noarch 6/10
Installing : ipmitool-xcat-1.8.11-3.x86_64 7/10
Installing : conserver-xcat-8.1.16-9.x86_64 8/10
Installing : elilo-xcat-3.14-4.noarch 9/10
Installing : xCAT-2.8-snap201301150402.x86_64 10/10
Generating new node hostkeys...
Generating SSH1 RSA Key...
Generating SSH2 RSA Key...
Generating SSH2 DSA Key...
Added updates to the /root/.ssh/config file.
Generated /root/.ssh/id_rsa.pub.
Copied /root/.ssh/id_rsa.pub to /install/postscripts/_ssh/authorized_keys.

Setting up basic certificates. Respond with a 'y' when prompted.

NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher
Generating a 2048 bit RSA private key
....................................................+++
...........+++
writing new private key to 'private/ca-key.pem'

---

/
Created xCAT certificate.
Generating RSA private key, 2048 bit long modulus
........................+++
.........+++
e is 65537 (0x10001)
Error Loading extension section server
140314649769800:error:2206506F:X509 V3 routines:v2i_ASN1_BIT_STRING:unknown bit string argument:v3_bitst.c:132:section:,name:digiatalSignature,value:
140314649769800:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=keyUsage, value=digiatalSignature,KeyAgreement
cp: cannot stat server-req.pem': No such file or directory / Using configuration from openssl.cnf Error Loading extension section server 139991600031560:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('/etc/xcat/ca/index.attr','rb') 139991600031560:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129: 139991600031560:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197: 139991600031560:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn 139991600031560:error:2206506F:X509 V3 routines:v2i_ASN1_BIT_STRING:unknown bit string argument:v3_bitst.c:132:section:,name:digiatalSignature,value: 139991600031560:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=keyUsage, value=digiatalSignature,KeyAgreement rm: cannot removex3250m4n01.csr': No such file or directory
/
Generating RSA private key, 2048 bit long modulus
................................................................................+++
..............................+++
e is 65537 (0x10001)
Error Loading extension section usr_crt
cp: cannot stat client-req.pem': No such file or directory / Using configuration from openssl.cnf Error Loading extension section usr_cert 139785060038472:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('/etc/xcat/ca/index.attr','rb') 139785060038472:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129: 139785060038472:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197: 139785060038472:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn 139785060038472:error:2206506F:X509 V3 routines:v2i_ASN1_BIT_STRING:unknown bit string argument:v3_bitst.c:132:section:,name:digiatalSignature,value: 139785060038472:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=keyUsage, value=digiatalSignature,KeyAgreement rm: cannot removeroot.csr': No such file or directory
/
Created xCAT certificate.
Command failed: grep Subject /etc/xcat/cert/server-cert.pem 2>&1. Error message: .

Error from grep Subject /etc/xcat/cert/server-cert.pem.
MN policy not created.
Restarting xCATd [ OK ]
named has been enabled on boot.
The mknb x86_64 command completed successfully.
httpd has been restarted.
SELINUX is not disabled, disabling it now...
xCAT is now running, it is recommended to tabedit networks
and set a dynamic ip address range on any networks where nodes
are to be discovered. Then, run makedhcp -n to create a new dhcpd
configuration file, and /etc/init.d/dhcpd restart. Either examine sample
configuration templates, or write your own, or specify a value per
node with nodeadd or tabedit.

[root@idplex04 iso]# nodels
Can't use an undefined value as a symbol reference at /opt/xcat/lib/perl/xCAT/Client.pm line 228.
[root@idplex04 iso]#

[Lissa Valletta]

• Description has changed:

Diff:

--- old
+++ new
@@ -32,7 +32,7 @@

 Setting up basic certificates.  Respond with a 'y' when prompted.

-# NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher
+NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher
 Generating a 2048 bit RSA private key
 ....................................................+++
 ...........+++

[Lissa Valletta]

[root@hpcrhmn trunk]# svn update
U xCAT-server/share/xcat/ca/openssl.cnf.tmpl
U xCAT-server/share/xcat/scripts/setup-local-client.sh
Updated to revision 14919.