csync SSL fails with csync2[1452]: SSL: handshake failed: Certificate is required. (GNUTLS_E_CERTIFICATE_REQUIRED)

[zapotah]

At least on ubuntu 20.04 with gnutls 3.6.13-2ubuntu1.6 SSL connections fail with GNUTLS_E_CERTIFICATE_REQUIRED error in syslog even when everything is otherwise correctly configured. Adding nossl allows for sync to work. I straced the process to see that it does indeed read the certificates and otherwise works as it should, however something must have been updated in gnutls so that it throws a message that csync2 cannot handle.

easily reproducible with ie. following config

group replicated { host host1; host host2; key /etc/csync2.d/csync2_clusterkey.key; include /opt/replicated;

    action
    {
            pattern /opt/replicated;
            exec "/usr/bin/systemctl restart nginx";
            do-local;
    }

    backup-directory /opt/replicated-backup;
    backup-generations 3;

    auto none;

}

[sincomil]

Got the same result on Debian 11(bullseye). systemd's journal showing this: csync2[435186]: SSL: handshake failed: Certificate is required. (GNUTLS_E_CERTIFICATE_REQUIRED)

Verbose output looks like this:

Config-File:   /etc/csync2.cfg
My hostname is ns1.
Database-File: sqlite3:///var/lib/csync2/ns1.db3
Opening shared library libsqlite3.so.0
Reading symbols from shared library libsqlite3.so.0
SQL: SELECT count(*) from file
Trying to fetch a row from the database.
Trying to fetch a row from the database.
SQL Query finished.
Running in-sync check for ns1 <-> ns2.
Connecting to host ns2 (SSL) ...
Connect to 10.14.253.195:30865 (ns2).
Local> SSL\n
Peer> OK (activating_ssl).\n
response from peer(<no file>): ns2 [7] <- OK (activating_ssl).
ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1560
ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3935
ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3985
ASSERT: ../../../lib/x509/x509_ext.c[gnutls_subject_alt_names_get]:111
ASSERT: ../../../lib/x509/x509.c[get_alt_name]:1848
ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
HSK[0x555c41aabdb0]: Adv. version: 3.3
Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)
Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)
Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)
Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)
Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)
Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)
Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)
Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)
Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)
Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)
Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)
Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)
Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)
Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)
Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)
Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)
Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)
Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)
Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)
Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)
Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)
Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)
Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)
Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)
Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)
Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)
Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)
Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)
EXT[0x555c41aabdb0]: Preparing extension (OCSP Status Request/5) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension OCSP Status Request/5 (5 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Client Certificate Type/19) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Server Certificate Type/20) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Supported Groups/10) for 'client hello'
EXT[0x555c41aabdb0]: Sent group SECP256R1 (0x17)
EXT[0x555c41aabdb0]: Sent group SECP384R1 (0x18)
EXT[0x555c41aabdb0]: Sent group SECP521R1 (0x19)
EXT[0x555c41aabdb0]: Sent group X25519 (0x1d)
EXT[0x555c41aabdb0]: Sent group X448 (0x1e)
EXT[0x555c41aabdb0]: Sent group FFDHE2048 (0x100)
EXT[0x555c41aabdb0]: Sent group FFDHE3072 (0x101)
EXT[0x555c41aabdb0]: Sent group FFDHE4096 (0x102)
EXT[0x555c41aabdb0]: Sent group FFDHE6144 (0x103)
EXT[0x555c41aabdb0]: Sent group FFDHE8192 (0x104)
EXT[0x555c41aabdb0]: Sending extension Supported Groups/10 (22 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Supported EC Point Formats/11) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Supported EC Point Formats/11 (2 bytes)
EXT[0x555c41aabdb0]: Preparing extension (SRP/12) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Signature Algorithms/13) for 'client hello'
EXT[0x555c41aabdb0]: sent signature algo (4.1) RSA-SHA256
EXT[0x555c41aabdb0]: sent signature algo (8.9) RSA-PSS-SHA256
EXT[0x555c41aabdb0]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256
EXT[0x555c41aabdb0]: sent signature algo (4.3) ECDSA-SHA256
EXT[0x555c41aabdb0]: sent signature algo (8.7) EdDSA-Ed25519
EXT[0x555c41aabdb0]: sent signature algo (5.1) RSA-SHA384
EXT[0x555c41aabdb0]: sent signature algo (8.10) RSA-PSS-SHA384
EXT[0x555c41aabdb0]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384
EXT[0x555c41aabdb0]: sent signature algo (5.3) ECDSA-SHA384
EXT[0x555c41aabdb0]: sent signature algo (8.8) EdDSA-Ed448
EXT[0x555c41aabdb0]: sent signature algo (6.1) RSA-SHA512
EXT[0x555c41aabdb0]: sent signature algo (8.11) RSA-PSS-SHA512
EXT[0x555c41aabdb0]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512
EXT[0x555c41aabdb0]: sent signature algo (6.3) ECDSA-SHA512
EXT[0x555c41aabdb0]: sent signature algo (2.1) RSA-SHA1
EXT[0x555c41aabdb0]: sent signature algo (2.3) ECDSA-SHA1
EXT[0x555c41aabdb0]: Sending extension Signature Algorithms/13 (34 bytes)
EXT[0x555c41aabdb0]: Preparing extension (SRTP/14) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Heartbeat/15) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (ALPN/16) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Encrypt-then-MAC/22) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Encrypt-then-MAC/22 (0 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Extended Master Secret/23) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Extended Master Secret/23 (0 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Session Ticket/35) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Session Ticket/35 (0 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Key Share/51) for 'client hello'
EXT[0x555c41aabdb0]: sending key share for SECP256R1
EXT[0x555c41aabdb0]: sending key share for X25519
EXT[0x555c41aabdb0]: Sending extension Key Share/51 (107 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Supported Versions/43) for 'client hello'
Advertizing version 3.4
Advertizing version 3.3
Advertizing version 3.2
Advertizing version 3.1
EXT[0x555c41aabdb0]: Sending extension Supported Versions/43 (9 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Post Handshake Auth/49) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Safe Renegotiation/65281) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Safe Renegotiation/65281 (1 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Server Name Indication/0) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Cookie/44) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Early Data/42) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension PSK Key Exchange Modes/45 (3 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Record Size Limit/28) for 'client hello'
EXT[0x555c41aabdb0]: Sending extension Record Size Limit/28 (2 bytes)
EXT[0x555c41aabdb0]: Preparing extension (Maximum Record Size/1) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (ClientHello Padding/21) for 'client hello'
EXT[0x555c41aabdb0]: Preparing extension (Pre Shared Key/41) for 'client hello'
HSK[0x555c41aabdb0]: CLIENT HELLO was queued [368 bytes]
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: SERVER HELLO (2) was received. Length 151[151], frag offset 0, frag length: 151, sequence: 0
ASSERT: ../../lib/buffers.c[get_last_packet]:1176
ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1428
HSK[0x555c41aabdb0]: Server's version: 3.3
EXT[0x555c41aabdb0]: Parsing extension 'Supported Versions/43' (2 bytes)
EXT[0x555c41aabdb0]: Negotiated version: 3.4
HSK[0x555c41aabdb0]: Selected cipher suite: GNUTLS_AES_128_GCM_SHA256
EXT[0x555c41aabdb0]: Parsing extension 'Key Share/51' (69 bytes)
HSK[0x555c41aabdb0]: Selected group SECP256R1 (2)
EXT[0x555c41aabdb0]: client generated SECP256R1 shared key
REC[0x555c41aabdb0]: Sent ChangeCipherSpec
HSK[0x555c41aabdb0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_128_GCM_SHA256
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: ENCRYPTED EXTENSIONS (8) was received. Length 8[8], frag offset 0, frag length: 8, sequence: 0
HSK[0x555c41aabdb0]: parsing encrypted extensions
EXT[0x555c41aabdb0]: Parsing extension 'Record Size Limit/28' (2 bytes)
EXT[0x555c41aabdb0]: record_size_limit 16385 negotiated
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: CERTIFICATE REQUEST (13) was received. Length 159[159], frag offset 0, frag length: 159, sequence: 0
HSK[0x555c41aabdb0]: parsing certificate request
EXT[0x555c41aabdb0]: rcvd signature algo (4.1) RSA-SHA256
EXT[0x555c41aabdb0]: rcvd signature algo (8.9) RSA-PSS-SHA256
EXT[0x555c41aabdb0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256
EXT[0x555c41aabdb0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256
EXT[0x555c41aabdb0]: rcvd signature algo (8.7) EdDSA-Ed25519
EXT[0x555c41aabdb0]: rcvd signature algo (5.1) RSA-SHA384
EXT[0x555c41aabdb0]: rcvd signature algo (8.10) RSA-PSS-SHA384
EXT[0x555c41aabdb0]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384
EXT[0x555c41aabdb0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384
EXT[0x555c41aabdb0]: rcvd signature algo (8.8) EdDSA-Ed448
EXT[0x555c41aabdb0]: rcvd signature algo (6.1) RSA-SHA512
EXT[0x555c41aabdb0]: rcvd signature algo (8.11) RSA-PSS-SHA512
EXT[0x555c41aabdb0]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512
EXT[0x555c41aabdb0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512
EXT[0x555c41aabdb0]: rcvd signature algo (2.1) RSA-SHA1
EXT[0x555c41aabdb0]: rcvd signature algo (2.3) ECDSA-SHA1
Peer requested CA: CN=ns2.dns.mgmt,OU=RCOD,O=CIT RT,L=Kazan,ST=Tatarstan,C=RU
ASSERT: ../../../lib/auth/cert.c[find_x509_client_cert]:215
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: CERTIFICATE (11) was received. Length 607[607], frag offset 0, frag length: 607, sequence: 0
HSK[0x555c41aabdb0]: parsing certificate message
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: CERTIFICATE VERIFY (15) was received. Length 132[132], frag offset 0, frag length: 132, sequence: 0
HSK[0x555c41aabdb0]: Parsing certificate verify
ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1560
ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3935
ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3985
HSK[0x555c41aabdb0]: verifying TLS 1.3 handshake data using RSA-PSS-RSAE-SHA256
ASSERT: ../../lib/buffers.c[get_last_packet]:1185
HSK[0x555c41aabdb0]: FINISHED (20) was received. Length 32[32], frag offset 0, frag length: 32, sequence: 0
HSK[0x555c41aabdb0]: parsing finished
HSK[0x555c41aabdb0]: CERTIFICATE was queued [8 bytes]
HSK[0x555c41aabdb0]: sending finished
HSK[0x555c41aabdb0]: FINISHED was queued [36 bytes]
ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:955
HSK[0x555c41aabdb0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_128_GCM_SHA256
SQL: SELECT certdata FROM x509_cert WHERE peername = 'ns2'
Trying to fetch a row from the database.
DB get blob: 30820252308201BB021451323D8D79EEB9A2DA2EF61E2CE18BE3976F0BC9300D06092A864886F70D01010B05003068310B30090603550406130252553112301006035504080C0954617461727374616E310E300C06035504070C054B617A616E310F300D060355040A0C06434954205254310D300B060355040B0C0452434F443115301306035504030C0C6E73322E646E732E6D676D74301E170D3231313231373134353232305A170D3331313231353134353232305A3068310B30090603550406130252553112301006035504080C0954617461727374616E310E300C06035504070C054B617A616E310F300D060355040A0C06434954205254310D300B060355040B0C0452434F443115301306035504030C0C6E73322E646E732E6D676D7430819F300D06092A864886F70D010101050003818D0030818902818100B648638F27AC9517B5B01996069299B1A0F38A38DD144F0365B52103BB4BDE6045B226B7D787ED4ACAFFABB1A67B57A988E59D25BADE8A74635E98540402648B41AC55151A8AF003B225D410D717DA9BE2807957557083F45E8670FFC7DC377BCD2D6446DCBDA93600F096F8742B96C9156BFBDC3A82FEEA5A991891F2CDF1030203010001300D06092A864886F70D01010B05000381810080699458C030488EDA4DEB139F92948F70E46527AE08A8C75A8F2D00AC477142D59923E89DD70C10FC58F92640E64418398F3DF0865A4E187DE07E0FB469FD5945C0FC373E59B6530FCA249FEA08C9C056C205B02A897A7382674BE10149B8D77B6E867E8A3EF90F6170D1C31D25E2713CD1E96F640E650696F0FCD765FDC59F Trying to fetch a row from the database.
SQL Query finished.
Peer x509 certificate is: 30820252308201BB021451323D8D79EEB9A2DA2EF61E2CE18BE3976F0BC9300D06092A864886F70D01010B05003068310B30090603550406130252553112301006035504080C0954617461727374616E310E300C06035504070C054B617A616E310F300D060355040A0C06434954205254310D300B060355040B0C0452434F443115301306035504030C0C6E73322E646E732E6D676D74301E170D3231313231373134353232305A170D3331313231353134353232305A3068310B30090603550406130252553112301006035504080C0954617461727374616E310E300C06035504070C054B617A616E310F300D060355040A0C06434954205254310D300B060355040B0C0452434F443115301306035504030C0C6E73322E646E732E6D676D7430819F300D06092A864886F70D010101050003818D0030818902818100B648638F27AC9517B5B01996069299B1A0F38A38DD144F0365B52103BB4BDE6045B226B7D787ED4ACAFFABB1A67B57A988E59D25BADE8A74635E98540402648B41AC55151A8AF003B225D410D717DA9BE2807957557083F45E8670FFC7DC377BCD2D6446DCBDA93600F096F8742B96C9156BFBDC3A82FEEA5A991891F2CDF1030203010001300D06092A864886F70D01010B05000381810080699458C030488EDA4DEB139F92948F70E46527AE08A8C75A8F2D00AC477142D59923E89DD70C10FC58F92640E64418398F3DF0865A4E187DE07E0FB469FD5945C0FC373E59B6530FCA249FEA08C9C056C205B02A897A7382674BE10149B8D77B6E867E8A3EF90F6170D1C31D25E2713CD1E96F640E650696F0FCD765FDC59F
Local> CONFIG \n
ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1578
Peer>
response from peer(<no file>): ns2 [9] <- Connection closed.
Config command failed.
ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:696
ERROR: Connection to remote host `ns2' failed.
SQL: SELECT command, logfile FROM action GROUP BY command, logfile
Trying to fetch a row from the database.
SQL Query finished.
Connection closed.
Finished with 2 errors.

[calaad]

Same here.

Any solution other than use nossl ?

[nikoveliki]

Check this answer from "Giampaolo Tomassoni": https://csync2.linbit.narkive.com/CoDweSVw/ssl-handshake-problem .

I have used same CN for all "ssl_cert.csr" and it worked.

[calaad]

Ok

• Delete old certs
• Recreate certs on all hosts with same data
• Delete databases on all hosts
• Rsync -> It works.

Thanks @nikoveliki