OPSI 4.3 | OPSIPXECONFD SSL-ERROR
Verfasst: 07 Nov 2024, 08:49
Moin,
ich habe das Problem, dass der Dienst opsipxeconfd nicht startet, betreffend SSL_ERROR, siehe Log unten.
Intermediate-CA wird nicht verwendet, sondern die eigenen Zertifikate OPSI-CA.
Anbindung per SSSD und Active Directory und die OPSI System Benutzer(pcpatch/opsiconfd) -Gruppen(opsiadmins,opsifileadmins) via AD.
Viele Grüße
Kay
Erstmal kurze Übersicht:
- OPSI Packages:
- health-check
- OS-Release
- AD Benutzer/Gruppen
- /etc/opsi/opsi.conf
- Anpassung opsipxeconfd.service
- OPSI SSL Certs (gekürzt)
- Logfile opsipxeconfd (Loglevel 9)
ich habe das Problem, dass der Dienst opsipxeconfd nicht startet, betreffend SSL_ERROR, siehe Log unten.
Intermediate-CA wird nicht verwendet, sondern die eigenen Zertifikate OPSI-CA.
Anbindung per SSSD und Active Directory und die OPSI System Benutzer(pcpatch/opsiconfd) -Gruppen(opsiadmins,opsifileadmins) via AD.
Viele Grüße
Kay
Erstmal kurze Übersicht:
- OPSI Packages:
Code: Alles auswählen
Installieren opsi-linux-bootimage-20240715-4.1.noarch @uibmz_opsi_4.3_stable
Installieren opsi-server-full-4.3.5.0-1.5.noarch @uibmz_opsi_4.3_stable
Installieren opsi-tftp-hpa-server-5.2.8-81.19.x86_64 @uibmz_opsi_4.3_stable
Installieren opsi-utils-4.3.10.6-1.1.x86_64 @uibmz_opsi_4.3_stable
Installieren opsi-webgui-4.3.39-1.1.noarch @uibmz_opsi_4.3_stable
Installieren opsiconfd-4.3.24.8-1.1.x86_64 @uibmz_opsi_4.3_stable
Installieren opsipxeconfd-4.3.5.0-1.6.x86_64 @uibmz_opsi_4.3_stable
Installieren redis-server-6.0.16-2.44.x86_64 @uibmz_opsi_4.3_stable
Installieren redis-timeseries-1.6.19.6-1.11.x86_64 @uibmz_opsi_4.3_stable
Installieren redis-tools-6.0.16-2.44.x86_64 @uibmz_opsi_4.3_stable
Code: Alles auswählen
opsiconfd health-check
● Operating System End Of Life: ERROR
➔ Linux distribution ol is not supported.
Checking disk usage
Checking disk usage
Checking disk usage
● Disk usage: OK
➔ Sufficient free space on all file systems.
● System repositories: ERROR
➔ System and opsi repositories are incompatible. System 'ol 9' using repository: uibmz_opsi_4.3_stable opsi 4.3 stable (Redhat Basis 9)
● System packages: OK
➔ All packages are up to date.
● OPSI Failed Addons: OK
➔ No errors found while loading addons.
● Depotserver: OK
➔ No problems found with the depot servers.
● OPSI Backup: ERROR
➔ The last successful backup was created more than 24 hours ago.
● Run As User: OK
➔ No issues found with user 'opsiconfd'.
● Opsiconfd Config: OK
➔ No issues found in the configuration.
● OPSI Configuration: OK
➔ No issues found in the opsi configuration.
● Deprecated API Calls: OK
➔ No deprecated method calls found.
● LDAP Connection: OK
➔ LDAP authentication is not configured.
● MySQL: OK
➔ No MySQL issues found.
● Unique Hardware Addresses: OK
➔ All hardware addresses are unique.
● OPSI Licenses: OK
➔ 0 active clients
● Products On Depots: ERROR
➔ Failed to get package info from repository 'https://opsipackages.43.opsi.org/stable/packages.msgpack.zstd': HTTPSConnectionPool(host='opsipackages.43.opsi.org', port=443): Max
retries exceeded with url: /stable/packages.msgpack.zstd (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7fef5ec7fb90>, 'Connection to
opsipackages.43.opsi.org timed out. (connect timeout=10)'))
● Products On Clients: OK
➔ All products are up to date on all clients.
● Redis: OK
➔ The connection to the Redis server does work.
● SSL: OK
➔ No SSL issues found.
● OPSI Users: OK
➔ No problems found with opsi users.
ERROR: Check completed with 4 errors and 0 warnings.
- OS-Release
Code: Alles auswählen
NAME="Oracle Linux Server"
VERSION="9.4"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Oracle Linux Server 9.4"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:9:4:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://github.com/oracle/oracle-linux"
ORACLE_BUGZILLA_PRODUCT="Oracle Linux 9"
ORACLE_BUGZILLA_PRODUCT_VERSION=9.4
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=9.4
Code: Alles auswählen
id pcpatch
uid=5007(pcpatch) gid=29012(opsifileadmins) Gruppen=29012(opsifileadmins),21804(PSO-GG-Service-Accounts)
id opsiconfd
uid=5008(opsiconfd) gid=29012(opsifileadmins) Gruppen=29012(opsifileadmins),977(shadow),21804(PSO-GG-Service-Accounts),29011(opsiadmins)
getent group opsireadonlys
opsireadonlys:*:29013:
Code: Alles auswählen
[host]
id = "hostname.domain.xx"
key = "0f6c93650564c78f1a180cb2799c2ee8"
server-role = "configserver"
[service]
url = "https://localhost:4447"
[groups]
fileadmingroup = "opsifileadmins"
admingroup = "opsiadmins"
readonly = "opsireadonlys"
[depot_user]
username = "pcpatch"
home = "/var/lib/opsi"
[packages]
use_pigz = true
[ldap_auth]
ldap_url = ""
bind_user = ""
group_filter = ""
use_member_of_rdn = false
Code: Alles auswählen
systemctl cat opsipxeconfd.service
# /usr/lib/systemd/system/opsipxeconfd.service
[Unit]
Description=opsi PXE configuration service
After=opsiconfd.service
After=winbind.service
[Service]
Type=forking
ExecStart=/usr/bin/opsipxeconfd start
Restart=always
RestartSec=5
KillMode=process
TimeoutStopSec=15
PIDFile=/run/opsipxeconfd/opsipxeconfd.pid
ExecStartPre=-/bin/mkdir -p /run/opsipxeconfd
ExecStartPre=-/bin/chgrp opsiadmin /run/opsipxeconfd
ExecStartPre=-/bin/chmod 770 /run/opsipxeconfd
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/opsipxeconfd.service.d/override.conf
[Service]
ExecStartPre=-/bin/chgrp opsiadmins /run/opsipxeconfd
Code: Alles auswählen
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
79:dc:43:b9:47:b6:d9:c3:7a:51:a0:33:fd:ab:e9:35:38:45:57:06
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = RP, L = MAINZ, O = uib, OU = opsi@domain.xx, CN = opsi CA, emailAddress = opsi@domain.xx
Validity
Not Before: Nov 7 05:28:31 2024 GMT
Not After : Nov 7 05:28:31 2026 GMT
Subject: C = DE, ST = RP, L = MAINZ, O = uib, OU = opsi@domain.xx, CN = opsi CA, emailAddress = opsi@domain.xx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:9c:1b:10:3e:dc:9a:24:75:78:c3:4a:eb:c5:b9:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1E:9A:B6:15:BE:E6:28:9B:68:68:55:D3:11:E1:02:6E:ED:43:37:1A
X509v3 Authority Key Identifier:
1E:9A:B6:15:BE:E6:28:9B:68:68:55:D3:11:E1:02:6E:ED:43:37:1A
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
92:68:b0:86:b4:6e:93:a3:00:e7:b6:0d:99:fd:fe:73:a0:e7:
openssl x509 -text -noout -in /etc/opsi/ssl/opsiconfd-cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
09:d7:c5:68:6f:46:ed:1c:d7:2e:9a:d7:53:c8:9d:71:32:81:9e:6c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = RP, L = MAINZ, O = uib, OU = opsi@domain.xx, CN = opsi CA, emailAddress = opsi@domain.xx
Validity
Not Before: Nov 7 05:28:34 2024 GMT
Not After : Feb 5 05:28:34 2025 GMT
Subject: OU = opsi@.domain.xx, CN = hostname.domain.xx, emailAddress = opsi@domain.xx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:af:fc:e2:6c:63:c8:65:f5:7a:ee:9a:f0:da:44:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D7:B4:4C:91:B0:2C:6C:E1:8A:5E:11:89:28:13:74:26:2D:F6:01:20
X509v3 Authority Key Identifier:
1E:9A:B6:15:BE:E6:28:9B:68:68:55:D3:11:E1:02:6E:ED:43:37:1A
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
X509v3 Subject Alternative Name:
DNS:localhost, DNS:hostname.domain.xx, DNS:localhost6.localdomain6, DNS:hostname, DNS:localhost6, DNS:localhost4.localdomain4, DNS:localhost4, DNS:localhost.localdomain, IP Address:XX.XX.XX.XX, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
7f:27:60:e9:99:e7:75:24:e8:af:bb:7d:80:10:95:fb:9d:3f:
Code: Alles auswählen
[7] [2024-11-07 07:43:12.443] [Opsipxeconfd start] Found running 'opsipxeconfd' process: psutil.Process(pid=17795, name='opsipxeconfd', status='running', started='07:43:10') (__init__.py:61)
[7] [2024-11-07 07:43:12.444] [Opsipxeconfd start] Found running 'opsipxeconfd' process: psutil.Process(pid=17804, name='opsipxeconfd', status='running', started='07:43:11') (__init__.py:61)
[7] [2024-11-07 07:43:12.445] [Opsipxeconfd start] Found running 'opsipxeconfd' process: psutil.Process(pid=17806, name='opsipxeconfd', status='running', started='07:43:11') (__init__.py:61)
[6] [2024-11-07 07:43:12.448] [Opsipxeconfd start] Creating pid file '/var/run/opsipxeconfd/opsipxeconfd.pid' (util.py:47)
[5] [2024-11-07 07:43:12.448] [Opsipxeconfd start] Running opsipxeconfd setup (setup.py:286)
[5] [2024-11-07 07:43:12.448] [Opsipxeconfd start] Setting up limits (setup.py:258)
[6] [2024-11-07 07:43:12.451] [Opsipxeconfd start] Setup users and groups (setup.py:81)
[6] [2024-11-07 07:43:12.455] [Opsipxeconfd start] Setup files and permissions (setup.py:245)
[7] [2024-11-07 07:43:12.455] [Opsipxeconfd start] Setting rights on /var/log/opsi/opsipxeconfd (rights.py:209)
[6] [2024-11-07 07:43:12.456] [Opsipxeconfd start] Setting rights recursively on '/var/log/opsi/opsipxeconfd' (rights.py:238)
[7] [2024-11-07 07:43:12.918] [Opsipxeconfd start] opsiconfd config: {'ssl_server_key': '/etc/opsi/ssl/opsiconfd-key.pem', 'ssl_server_cert': '/etc/opsi/ssl/opsiconfd-cert.pem', 'ssl_server_key_passphrase': 'ye3heiwaiLu9pama'} (setup.py:79)
[6] [2024-11-07 07:43:12.919] [Opsipxeconfd start] Using client certificate file '/etc/opsi/ssl/opsiconfd-cert.pem' and key file '/etc/opsi/ssl/opsiconfd-key.pem' (opsiservice.py:325)
[7] [2024-11-07 07:43:12.919] [Opsipxeconfd start] Trying to load private key (opsiservice.py:332)
[7] [2024-11-07 07:43:14.024] [Opsipxeconfd start] Updating environment from /etc/environment (__init__.py:131)
[7] [2024-11-07 07:43:14.024] [Opsipxeconfd start] Current proxy related environment variables: http_proxy=None, https_proxy=None, no_proxy=None (__init__.py:182)
[6] [2024-11-07 07:43:14.024] [Opsipxeconfd start] Using proxy settings: http_proxy=None, https_proxy=None, no_proxy='localhost,127.0.0.1,::1,ip6-localhost' (__init__.py:219)
[5] [2024-11-07 07:43:14.025] [Opsipxeconfd start] Connecting to opsi service at 'https://localhost:4447' (attempt 1) (setup.py:105)
[7] [2024-11-07 07:43:14.025] [Opsipxeconfd start] service_is_opsiclientd: False (opsiservice.py:731)
[7] [2024-11-07 07:43:14.025] [Opsipxeconfd start] ca_cert_file: '/etc/opsi/ssl/opsi-ca-cert.pem', exists: True, verify_flags: [<ServiceVerificationFlags.STRICT_CHECK: 'strict_check'>], session.verify: '/etc/opsi/ssl/opsi-ca-cert.pem', verify: '/etc/opsi/ssl/opsi-ca-cert.pem' (opsiservice.py:737)
[7] [2024-11-07 07:43:14.028] [Opsipxeconfd start] Starting new HTTPS connection (1): localhost:4447 (connectionpool.py:1055)
[7] [2024-11-07 07:43:14.033] [Opsipxeconfd start] Removing pid file '/var/run/opsipxeconfd/opsipxeconfd.pid'... (util.py:56)
[6] [2024-11-07 07:43:14.033] [Opsipxeconfd start] Removed pid file '/var/run/opsipxeconfd/opsipxeconfd.pid' (util.py:58)
[3] [2024-11-07 07:43:14.033] [ ] Opsi service verification error: HTTPSConnectionPool(host='localhost', port=4447): Max retries exceeded with url: /rpc (Caused by SSLError(SSLError(109, '[CONF: MODULE_INITIALIZATION_ERROR] module initialization error (_ssl.c:3098)'))) (__main__.py:34)
Traceback (most recent call last):
File "urllib3/connectionpool.py", line 467, in _make_request
File "urllib3/connectionpool.py", line 1099, in _validate_conn
File "urllib3/connection.py", line 653, in connect
File "urllib3/connection.py", line 759, in _ssl_wrap_socket_and_match_hostname
File "urllib3/util/ssl_.py", line 285, in create_urllib3_context
File "ssl.py", line 500, in __new__
ssl.SSLError: [CONF: MODULE_INITIALIZATION_ERROR] module initialization error (_ssl.c:3098)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "urllib3/connectionpool.py", line 793, in urlopen
File "urllib3/connectionpool.py", line 491, in _make_request
urllib3.exceptions.SSLError: [CONF: MODULE_INITIALIZATION_ERROR] module initialization error (_ssl.c:3098)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "requests/adapters.py", line 486, in send
File "urllib3/connectionpool.py", line 847, in urlopen
File "urllib3/util/retry.py", line 515, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='localhost', port=4447): Max retries exceeded with url: /rpc (Caused by SSLError(SSLError(109, '[CONF: MODULE_INITIALIZATION_ERROR] module initialization error (_ssl.c:3098)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "opsicommon/client/opsiservice.py", line 949, in _request
File "requests/sessions.py", line 589, in request
File "requests/sessions.py", line 703, in send
File "requests/adapters.py", line 517, in send
requests.exceptions.SSLError: HTTPSConnectionPool(host='localhost', port=4447): Max retries exceeded with url: /rpc (Caused by SSLError(SSLError(109, '[CONF: MODULE_INITIALIZATION_ERROR] module initialization error (_ssl.c:3098)')))
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "opsipxeconfd/__main__.py", line 30, in main
File "opsipxeconfd/opsipxeconfdinit.py", line 373, in __init__
File "opsipxeconfd/setup.py", line 290, in setup
File "opsipxeconfd/setup.py", line 156, in patchMenuFile
File "opsipxeconfd/setup.py", line 122, in getConfigsFromService
File "opsipxeconfd/setup.py", line 106, in get_service_connection
File "opsicommon/client/opsiservice.py", line 780, in connect
File "opsicommon/client/opsiservice.py", line 977, in _request
opsicommon.exceptions.OpsiServiceVerificationError: Opsi service verification error: HTTPSConnectionPool(host='localhost', port=4447): Max retries exceeded with url: /rpc (Caused by SSLError(SSLError(109, '[CONF: MODULE_INITIALIZATION_ERROR] module initialization error (_ssl.c:3098)')))
r