Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

csync SSL fails with csync2[1452]: SSL: handshake failed: Certificate is required. (GNUTLS_E_CERTIFICATE_REQUIRED) #38

Open
zapotah opened this issue Nov 10, 2021 · 4 comments
Open

csync SSL fails with csync2[1452]: SSL: handshake failed: Certificate is required. (GNUTLS_E_CERTIFICATE_REQUIRED) #38

zapotah opened this issue Nov 10, 2021 · 4 comments

Comments

@zapotah
Copy link

zapotah commented Nov 10, 2021

At least on ubuntu 20.04 with gnutls 3.6.13-2ubuntu1.6 SSL connections fail with GNUTLS_E_CERTIFICATE_REQUIRED error in syslog even when everything is otherwise correctly configured. Adding nossl allows for sync to work. I straced the process to see that it does indeed read the certificates and otherwise works as it should, however something must have been updated in gnutls so that it throws a message that csync2 cannot handle.

easily reproducible with ie. following config

group replicated
{
host host1;
host host2;
key /etc/csync2.d/csync2_clusterkey.key;
include /opt/replicated;

    action
    {
            pattern /opt/replicated;
            exec "/usr/bin/systemctl restart nginx";
            do-local;
    }

    backup-directory /opt/replicated-backup;
    backup-generations 3;

    auto none;

}
@sincomil
Copy link

sincomil commented Dec 17, 2021
edited
Loading

Got the same result on Debian 11(bullseye).
systemd's journal showing this: csync2[435186]: SSL: handshake failed: Certificate is required. (GNUTLS_E_CERTIFICATE_REQUIRED)

Verbose output looks like this:

Config-File:   /etc/csync2.cfg
My hostname is ns1.
Database-File: sqlite3:///var/lib/csync2/ns1.db3
Opening shared library libsqlite3.so.0
Reading symbols from shared library libsqlite3.so.0
SQL: SELECT count(*) from file
Trying to fetch a row from the database.
Trying to fetch a row from the database.
SQL Query finished.
Running in-sync check for ns1 <-> ns2.
Connecting to host ns2 (SSL) ...
Connect to 10.14.253.195:30865 (ns2).
Local> SSL\n
Peer> OK (activating_ssl).\n
response from peer(<no file>): ns2 [7] <- OK (activating_ssl).
ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1560
ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3935
ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3985
ASSERT: ../../../lib/x509/x509_ext.c[gnutls_subject_alt_names_get]:111
ASSERT: ../../../lib/x509/x509.c[get_alt_name]:1848
ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
HSK[0x555c41aabdb0]: Adv. version: 3.3
Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)
Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)
Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)
Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)
Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)
Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)
Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)
Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)
Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)
Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)
Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)
Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)
Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)
Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)
Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)
Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)
Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)
Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)
Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)
Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)
Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)
Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)
Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)
Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)
Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)
Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)
Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)
Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)
EXT[0x555c41aabdb0]: Preparing extension (OCSP Status Request/5) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension OCSP Status Request/5 (5 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Client Certificate Type/19) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Server Certificate Type/20) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Supported Groups/10) for 'client hello'
EXT[0x555c41aabdb0]: Sent group SECP256R1 (0x17)
EXT[0x555c41aabdb0]: Sent group SECP384R1 (0x18)
EXT[0x555c41aabdb0]: Sent group SECP521R1 (0x19)
EXT[0x555c41aabdb0]: Sent group X25519 (0x1d)
EXT[0x555c41aabdb0]: Sent group X448 (0x1e)
EXT[0x555c41aabdb0]: Sent group FFDHE2048 (0x100)
EXT[0x555c41aabdb0]: Sent group FFDHE3072 (0x101)
EXT[0x555c41aabdb0]: Sent group FFDHE4096 (0x102)
EXT[0x555c41aabdb0]: Sent group FFDHE6144 (0x103)
EXT[0x555c41aabdb0]: Sent group FFDHE8192 (0x104)
EXT[0x555c41aabdb0]: Sending extension Supported Groups/10 (22 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Supported EC Point Formats/11) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Supported EC Point Formats/11 (2 bytes)
EXT[0x555c41aabdb0]: Preparing extension (SRP/12) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Signature Algorithms/13) for 'client hello'
EXT[0x555c41aabdb0]: sent signature algo (4.1) RSA-SHA256
EXT[0x555c41aabdb0]: sent signature algo (8.9) RSA-PSS-SHA256
EXT[0x555c41aabdb0]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256
EXT[0x555c41aabdb0]: sent signature algo (4.3) ECDSA-SHA256
EXT[0x555c41aabdb0]: sent signature algo (8.7) EdDSA-Ed25519
EXT[0x555c41aabdb0]: sent signature algo (5.1) RSA-SHA384
EXT[0x555c41aabdb0]: sent signature algo (8.10) RSA-PSS-SHA384
EXT[0x555c41aabdb0]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384
EXT[0x555c41aabdb0]: sent signature algo (5.3) ECDSA-SHA384
EXT[0x555c41aabdb0]: sent signature algo (8.8) EdDSA-Ed448
EXT[0x555c41aabdb0]: sent signature algo (6.1) RSA-SHA512
EXT[0x555c41aabdb0]: sent signature algo (8.11) RSA-PSS-SHA512
EXT[0x555c41aabdb0]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512
EXT[0x555c41aabdb0]: sent signature algo (6.3) ECDSA-SHA512
EXT[0x555c41aabdb0]: sent signature algo (2.1) RSA-SHA1
EXT[0x555c41aabdb0]: sent signature algo (2.3) ECDSA-SHA1
EXT[0x555c41aabdb0]: Sending extension Signature Algorithms/13 (34 bytes)
EXT[0x555c41aabdb0]: Preparing extension (SRTP/14) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Heartbeat/15) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (ALPN/16) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Encrypt-then-MAC/22) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Encrypt-then-MAC/22 (0 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Extended Master Secret/23) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Extended Master Secret/23 (0 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Session Ticket/35) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Session Ticket/35 (0 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Key Share/51) for 'client hello'
EXT[0x555c41aabdb0]: sending key share for SECP256R1
EXT[0x555c41aabdb0]: sending key share for X25519
EXT[0x555c41aabdb0]: Sending extension Key Share/51 (107 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Supported Versions/43) for 'client hello'
Advertizing version 3.4
Advertizing version 3.3
Advertizing version 3.2
Advertizing version 3.1
EXT[0x555c41aabdb0]: Sending extension Supported Versions/43 (9 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Post Handshake Auth/49) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Safe Renegotiation/65281) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Safe Renegotiation/65281 (1 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Server Name Indication/0) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Cookie/44) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Early Data/42) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension PSK Key Exchange Modes/45 (3 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Record Size Limit/28) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Record Size Limit/28 (2 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Maximum Record Size/1) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (ClientHello Padding/21) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Pre Shared Key/41) for 'client hello'
HSK[0x555c41aabdb0]: CLIENT HELLO was queued [368 bytes]
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: SERVER HELLO (2) was received. Length 151[151], frag offset 0, frag length: 151, sequence: 0
ASSERT: ../../lib/buffers.c[get_last_packet]:1176
ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1428
HSK[0x555c41aabdb0]: Server's version: 3.3
EXT[0x555c41aabdb0]: Parsing extension 'Supported Versions/43' (2 bytes)
EXT[0x555c41aabdb0]: Negotiated version: 3.4
HSK[0x555c41aabdb0]: Selected cipher suite: GNUTLS_AES_128_GCM_SHA256
EXT[0x555c41aabdb0]: Parsing extension 'Key Share/51' (69 bytes)
HSK[0x555c41aabdb0]: Selected group SECP256R1 (2)
EXT[0x555c41aabdb0]: client generated SECP256R1 shared key
REC[0x555c41aabdb0]: Sent ChangeCipherSpec
HSK[0x555c41aabdb0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_128_GCM_SHA256
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: ENCRYPTED EXTENSIONS (8) was received. Length 8[8], frag offset 0, frag length: 8, sequence: 0
HSK[0x555c41aabdb0]: parsing encrypted extensions
EXT[0x555c41aabdb0]: Parsing extension 'Record Size Limit/28' (2 bytes)
EXT[0x555c41aabdb0]: record_size_limit 16385 negotiated
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: CERTIFICATE REQUEST (13) was received. Length 159[159], frag offset 0, frag length: 159, sequence: 0
HSK[0x555c41aabdb0]: parsing certificate request
EXT[0x555c41aabdb0]: rcvd signature algo (4.1) RSA-SHA256
EXT[0x555c41aabdb0]: rcvd signature algo (8.9) RSA-PSS-SHA256
EXT[0x555c41aabdb0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256
EXT[0x555c41aabdb0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256
EXT[0x555c41aabdb0]: rcvd signature algo (8.7) EdDSA-Ed25519
EXT[0x555c41aabdb0]: rcvd signature algo (5.1) RSA-SHA384
EXT[0x555c41aabdb0]: rcvd signature algo (8.10) RSA-PSS-SHA384
EXT[0x555c41aabdb0]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384
EXT[0x555c41aabdb0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384
EXT[0x555c41aabdb0]: rcvd signature algo (8.8) EdDSA-Ed448
EXT[0x555c41aabdb0]: rcvd signature algo (6.1) RSA-SHA512
EXT[0x555c41aabdb0]: rcvd signature algo (8.11) RSA-PSS-SHA512
EXT[0x555c41aabdb0]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512
EXT[0x555c41aabdb0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512
EXT[0x555c41aabdb0]: rcvd signature algo (2.1) RSA-SHA1
EXT[0x555c41aabdb0]: rcvd signature algo (2.3) ECDSA-SHA1
Peer requested CA: CN=ns2.dns.mgmt,OU=RCOD,O=CIT RT,L=Kazan,ST=Tatarstan,C=RU
ASSERT: ../../../lib/auth/cert.c[find_x509_client_cert]:215
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: CERTIFICATE (11) was received. Length 607[607], frag offset 0, frag length: 607, sequence: 0
HSK[0x555c41aabdb0]: parsing certificate message
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: CERTIFICATE VERIFY (15) was received. Length 132[132], frag offset 0, frag length: 132, sequence: 0
HSK[0x555c41aabdb0]: Parsing certificate verify
ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1560
ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3935
ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3985
HSK[0x555c41aabdb0]: verifying TLS 1.3 handshake data using RSA-PSS-RSAE-SHA256
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: FINISHED (20) was received. Length 32[32], frag offset 0, frag length: 32, sequence: 0
HSK[0x555c41aabdb0]: parsing finished
HSK[0x555c41aabdb0]: CERTIFICATE was queued [8 bytes]
HSK[0x555c41aabdb0]: sending finished
HSK[0x555c41aabdb0]: FINISHED was queued [36 bytes]
ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:955
HSK[0x555c41aabdb0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_128_GCM_SHA256
SQL: SELECT certdata FROM x509_cert WHERE peername = 'ns2'
Trying to fetch a row from the database.
DB get blob: 30820252308201BB021451323D8D79EEB9A2DA2EF61E2CE18BE3976F0BC9300D06092A864886F70D01010B05003068310B30090603550406130252553112301006035504080C0954617461727374616E310E300C06035504070C054B617A616E310F300D060355040A0C06434954205254310D300B060355040B0C0452434F443115301306035504030C0C6E73322E646E732E6D676D74301E170D3231313231373134353232305A170D3331313231353134353232305A3068310B30090603550406130252553112301006035504080C0954617461727374616E310E300C06035504070C054B617A616E310F300D060355040A0C06434954205254310D300B060355040B0C0452434F443115301306035504030C0C6E73322E646E732E6D676D7430819F300D06092A864886F70D010101050003818D0030818902818100B648638F27AC9517B5B01996069299B1A0F38A38DD144F0365B52103BB4BDE6045B226B7D787ED4ACAFFABB1A67B57A988E59D25BADE8A74635E98540402648B41AC55151A8AF003B225D410D717DA9BE2807957557083F45E8670FFC7DC377BCD2D6446DCBDA93600F096F8742B96C9156BFBDC3A82FEEA5A991891F2CDF1030203010001300D06092A864886F70D01010B05000381810080699458C030488EDA4DEB139F92948F70E46527AE08A8C75A8F2D00AC477142D59923E89DD70C10FC58F92640E64418398F3DF0865A4E187DE07E0FB469FD5945C0FC373E59B6530FCA249FEA08C9C056C205B02A897A7382674BE10149B8D77B6E867E8A3EF90F6170D1C31D25E2713CD1E96F640E650696F0FCD765FDC59F Trying to fetch a row from the database.
SQL Query finished.
Peer x509 certificate is: 30820252308201BB021451323D8D79EEB9A2DA2EF61E2CE18BE3976F0BC9300D06092A864886F70D01010B05003068310B30090603550406130252553112301006035504080C0954617461727374616E310E300C06035504070C054B617A616E310F300D060355040A0C06434954205254310D300B060355040B0C0452434F443115301306035504030C0C6E73322E646E732E6D676D74301E170D3231313231373134353232305A170D3331313231353134353232305A3068310B30090603550406130252553112301006035504080C0954617461727374616E310E300C06035504070C054B617A616E310F300D060355040A0C06434954205254310D300B060355040B0C0452434F443115301306035504030C0C6E73322E646E732E6D676D7430819F300D06092A864886F70D010101050003818D0030818902818100B648638F27AC9517B5B01996069299B1A0F38A38DD144F0365B52103BB4BDE6045B226B7D787ED4ACAFFABB1A67B57A988E59D25BADE8A74635E98540402648B41AC55151A8AF003B225D410D717DA9BE2807957557083F45E8670FFC7DC377BCD2D6446DCBDA93600F096F8742B96C9156BFBDC3A82FEEA5A991891F2CDF1030203010001300D06092A864886F70D01010B05000381810080699458C030488EDA4DEB139F92948F70E46527AE08A8C75A8F2D00AC477142D59923E89DD70C10FC58F92640E64418398F3DF0865A4E187DE07E0FB469FD5945C0FC373E59B6530FCA249FEA08C9C056C205B02A897A7382674BE10149B8D77B6E867E8A3EF90F6170D1C31D25E2713CD1E96F640E650696F0FCD765FDC59F
Local> CONFIG \n
ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1578
Peer>
response from peer(<no file>): ns2 [9] <- Connection closed.
Config command failed.
ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:696
ERROR: Connection to remote host `ns2' failed.
SQL: SELECT command, logfile FROM action GROUP BY command, logfile
Trying to fetch a row from the database.
SQL Query finished.
Connection closed.
Finished with 2 errors.

@calaad
Copy link

calaad commented May 1, 2022

Same here.

Any solution other than use nossl ?

@nikoveliki
Copy link

Check this answer from "Giampaolo Tomassoni": https://csync2.linbit.narkive.com/CoDweSVw/ssl-handshake-problem .

I have used same CN for all "ssl_cert.csr" and it worked.

@calaad
Copy link

calaad commented May 25, 2022

Ok

  • Delete old certs
  • Recreate certs on all hosts with same data
  • Delete databases on all hosts
  • Rsync
    -> It works.

Thanks @nikoveliki

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@calaad @nikoveliki @zapotah @sincomil