I suggest you upgrade servers first and then make sure there are no mixed versions confusing each other. Try running updates without encryption until you have a uniform version.
On 02/14/2011 09:24 PM, Mike Svoboda wrote: > I’ve upgraded all my clients to run version 3.1.4. My MPS have been > chilling on 3.0.5p1. This setup works, although, I have to bounce > cf-serverd daily because of memory leaks. > > When I upgrade my MPS to 3.1.4, I start running into OpenSSL errors. > Here’s a client trying to pull down new configs. > > # /var/cfengine/bin/cf-agent -I -K -f failsafe.cf > decryption FAILED at final of 59: error:0606506D:digital envelope > routines:EVP_DecryptFinal:wrong final block length > !! Transmission refused or failed statting > /var/cfengine/masterfiles/generic_cf-agent_policies/config-solaris/n??8?&ĚE?<_?I > ????:A??N?آx? > ?վ??G?Ԏ????IsǿG?i?Rut) > Got: > Transmission failed/refused talking to > ech3-cfe-dmz-zone-v753.prod.linkedin.com:/var/cfengine/masterfiles/generic_cf-agent_policies/verify_hardware_health.cf > in stat > !!! System reports error for send: "Broken pipe" > > > Googing against this error, it seems to be a generic OpenSSL error message: > http://forums.opensuse.org/archives/sls-archives/archives-suse-linux/archives-network-security/archives-security/363298-openssl.html > > > From the server, I see a bunch of REFUSAL messages. Probably because > I’ve mandated that encryption be in place, and the client isn’t able to > continue to communicate on an encrypted link. > > community> cf-serverd access list is empty, no files are visible > community> Access control in sync > community> From (host=ech3-zrepo01.prod,user=root,ip=172.17.53.57) > community> REFUSAL of request from connecting host: (SYNCH 1297713683 > STAT /var/cfengine/masterfiles/cf-agent_modules/locate-server) > > > I compiled Cfengine 3.1.4 using the configure option > —with-openssl=/usr/sfw, which builds against the pre-packaged version of > OpenSSL that ships with Solaris 10. Has anyone run into this, or have > any suggestions? > > I’ve tried removing the contents of /var/cfengine/ppkeys on both the > client / server, and regenerate keys using cf-key (thinking that there > might be some old crufty SSL key data) but I’m continuing to hit the > error above. If you’ve hit this issue, let me know what you needed to > do to resolve. > > Here’s what I’m linked against on the MPS. > > $ ldd /var/cfengine/bin/cf-serverd > libpromises.so.1 => /var/cfengine/lib/libpromises.so.1 > libpthread.so.1 => /usr/lib/libpthread.so.1 > librt.so.1 => /usr/lib/librt.so.1 > libpcre.so.0 => /usr/local/lib/libpcre.so.0 > libnsl.so.1 => /usr/lib/libnsl.so.1 > libsocket.so.1 => /usr/lib/libsocket.so.1 > libm.so.2 => /usr/lib/libm.so.2 > libdb-4.4.so => /usr/local/BerkeleyDB/4.4/lib/libdb-4.4.so > libcrypto.so.0.9.7 => /usr/sfw/lib/libcrypto.so.0.9.7 > libelf.so.1 => /usr/lib/libelf.so.1 > libsec.so.1 => /usr/lib/libsec.so.1 > libc.so.1 => /usr/lib/libc.so.1 > libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1 > libaio.so.1 => /usr/lib/libaio.so.1 > libmd.so.1 => /usr/lib/libmd.so.1 > libmp.so.2 => /usr/lib/libmp.so.2 > libscf.so.1 => /usr/lib/libscf.so.1 > libthread.so.1 => /usr/lib/libthread.so.1 > libavl.so.1 => /usr/lib/libavl.so.1 > libdoor.so.1 => /usr/lib/libdoor.so.1 > libuutil.so.1 => /usr/lib/libuutil.so.1 > libgen.so.1 => /usr/lib/libgen.so.1 > libcrypto_extra.so.0.9.7 => > /usr/sfw/lib/libcrypto_extra.so.0.9.7 > > > Thanks > Mike > > > > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@cfengine.org > https://cfengine.org/mailman/listinfo/help-cfengine _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
