-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
icinga2 pki new-cert only generates private key on CentOS 7.* (getrandom() not implemented in SolusVM host kernels) #7683
Comments
Tests
Result
Not able to reproduce this. Likely the script lacks sanity checks with e.g. the |
Here it doesn't work. Putting the variables aside:
|
Full output of |
|
Also, try re-running the script with strace to see whether it tries to actually create the file handles.
|
Yes, it is a VM on a SolusVM platform. Strace gives a ton of 'Bad file descriptor' messages See strace output: https://www.dropbox.com/transfer/AAAAAJEIsMitz6Paoo8FgN3D4sI35_sCQJXELltuqHIuAqfV2rTpfLU |
Ah, I forgot. icinga2 is a shell wrapper for the binary. In order to see its syscalls, run the full binary path.
|
I couldn't get your command above to work, so ended up with this. Hope it is a valid strace now.
https://www.dropbox.com/transfer/AAAAALSU4pL4tVm75yoQaUmCXwygpIUaAJszPvmwDWY0ir_TYecQFys |
I see. This is what I suspected already - getrandom() syscall is not implemented. This is used by the OpenSSL API resp. Boost UUID.
That's actually a problem with the host system running an older Kernel (likely el6) and the guest runs with el7+. Similar issue with OpenVZ, Xen, cPanel and other VM providers, we have discussed this in #7560. https://bugzilla.redhat.com/show_bug.cgi?id=1330000 Unfortunately we cannot fix this on the application layer, this needs a kernel update on the host system providing the syscall to the guest OS. |
Thanks a lot the clarification Michael! We will upgrade the host system (indeed el6) |
Describe the bug
We are using the icinga2-agent-kickstart script to deploy on CentOS hosts. One step in the script is:
if ! "$ICINGA2_BIN" pki new-cert --cn "${ICINGA2_NODENAME}" \ --cert "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.crt" \ --csr "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.csr" \ --key "${ICINGA2_SSLDIR}/${ICINGA2_NODENAME}.key"
This should result in a csr, crt and key file. However on CentOS only the key is generated. When running this command on eg. Debian it works as expected.
To Reproduce
icinga2 pki new-cert --cn --key /var/lib/icinga2/certs/.key --cert /var/lib/icinga2/certs/.crt --csr /var/lib/icinga2/certs/.csr
Your Environment
Include as many relevant details about the environment you experienced the problem in
icinga2 --version
): 2.11.2-1icinga2 feature list
): api checker mainlog notificationThe text was updated successfully, but these errors were encountered: