This repository has been archived by the owner on Jul 14, 2021. It is now read-only.
opscode-pushy-server 1.* and Chef-server >= 12.10 do not work oob #154
Labels
Triage: Try Reproducing
Indicates that this issue needs to be reproduced.
Type: Bug
Doesn't work as expected.
Comments
andy-dufour
changed the title
|
I apologize for any pain updating the cipher suite has caused. chef/chef-server/pull/1007 was merged yesterday and addressed some compatibility with AWS Classic ELBs by adding AES256-GCM-SHA384 back into the cipher suite. It is possible this change will also address this issue by preventing the problem from arising, however this will need to be verified with either a version of chef-server from the |
|
Also, it is possible limiting TLS to v1.2 in server may have been too restrictive for pushy with pushy's current configuration. /cc @chef/server-team |
PrajaktaPurohit
added
Type: Bug
|
@andy-dufour Thank you for reporting the issue. We will try reproducing this with push-jobs-server2, since issues with push-jobs-server1 will not be fixed. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
After install, you'll receive the following error anytime a pushy API is hit:
2016-11-09 18:21:19.923 [error] <0.279.0> Webmachine error at path "/organizations/delivery/pushy/node_states" : {throw,{error,{conn_failed,{error,closed}}},[{pushy_http_common,fetch_authenticated,2,[{file,"src/pushy_http_common.erl"},{line,44}]},{pushy_org,fetch_org_id,1,[{file,"src/pushy_org.erl"},{line,38}]},{pushy_object,fetch_org_id,1,[{file,"src/pushy_object.erl"},{line,45}]},{pushy_wm_base,verify_request_signature,2,[{file,"src/pushy_wm_base.erl"},{line,157}]},{pushy_wm_base,is_authorized,2,[{file,"src/pushy_wm_base.erl"},{line,135}]},{webmachine_resource,resource_call,3,[{file,"src/webmachine_..."},...]},...]}This was caused by TLS and cipher suite changes on the Chef server, and pushy servers http client libraries can no longer make requests to the Chef server with the new defaults added via this commit:
chef/chef-server@ec8a5e2
To validate this was the problem, on a chef-server 12.10 machine I ensured push server failed (
knife node statusreturned a http status code 500, and pushy server logs showed the above)I set the following in my chef-server.rb:
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"nginx['ssl_ciphers'] = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"and reconfigured chef server.
knife node statusnow returns the correct results.The text was updated successfully, but these errors were encountered: