search

aws / aws-codedeploy-agent

Host Agent for AWS CodeDeploy
https://aws.amazon.com/codedeploy
Apache License 2.0
328 stars 188 forks source link

Error validating the SSL configuration: Invalid server certificate #370

Closed mihirsp3178 closed 1 year ago

mihirsp3178 commented 1 year ago

Facing this issue even after rebooting the server as suggested by some articles.

system specification

Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic

Codedeploy version : 1.2.1-1868

/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:65:in `validate'
/opt/codedeploy-agent/lib/instance_agent/agent/base.rb:11:in `runner'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:32:in `block in prepare_run'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:78:in `with_error_handling'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:31:in `prepare_run'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:64:in `block in prepare_run_with_error_handling'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:78:in `with_error_handling'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:63:in `prepare_run_with_error_handling'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:20:in `start'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:206:in `block in spawn_child'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:204:in `fork'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:204:in `spawn_child'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:283:in `block (2 levels) in replace_terminated_children'
/opt/codedeploy-agent/vendor/gems/logging-1.8.2/lib/logging/diagnostic_context.rb:323:in `block in create_with_logging_context'
2023-05-22 10:43:58 ERROR [codedeploy-agent(9107)]: booting child: error during start or run: SystemExit - exit - /opt/codedeploy-agent/lib/instance_agent/runner/child.rb:90:in `exit'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:90:in `rescue in with_error_handling'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:77:in `with_error_handling'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:31:in `prepare_run'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:64:in `block in prepare_run_with_error_handling'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:78:in `with_error_handling'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:63:in `prepare_run_with_error_handling'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:20:in `start'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:206:in `block in spawn_child'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:204:in `fork'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:204:in `spawn_child'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:283:in `block (2 levels) in replace_terminated_children'
/opt/codedeploy-agent/vendor/gems/logging-1.8.2/lib/logging/diagnostic_context.rb:323:in `block in create_with_logging_context'
2023-05-22 10:43:58 INFO  [codedeploy-agent(3867)]: master 3867: Received CHLD - cleaning dead child process
2023-05-22 10:43:58 INFO  [codedeploy-agent(3867)]: master 3867: been told to replace child 9107
2023-05-22 10:43:58 INFO  [codedeploy-agent(3867)]: master 3867: not enough child processes running - missing at least 1 - respawning
2023-05-22 10:44:03 INFO  [codedeploy-agent(3867)]: master 3867: Spawned child 1/1
2023-05-22 10:44:04 INFO  [codedeploy-agent(9135)]: On Premises config file does not exist or not readable
2023-05-22 10:44:04 INFO  [codedeploy-agent(9135)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandExecutor: Archives to retain is: 5}
2023-05-22 10:44:04 ERROR [codedeploy-agent(9135)]: InstanceAgent::Plugins::CodeDeployPlugin::CodeDeployControl: Error during certificate verification on codedeploy endpoint https://codedeploy-commands.ap-south-1.amazonaws.com
2023-05-22 10:44:04 ERROR [codedeploy-agent(9135)]: Error validating the SSL configuration: Invalid server certificate
2023-05-22 10:44:04 ERROR [codedeploy-agent(9135)]: booting child: error during start or run: SystemExit - Stopping CodeDeploy agent due to SSL validation error. - /opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:65:in `abort'
mwjones-aws commented 1 year ago

CodeDeploy Agent version 1.2.1 is no longer supported. Please install the latest CodeDeploy Agent supported for your OS and try again.

https://docs.aws.amazon.com/codedeploy/latest/userguide/codedeploy-agent.html

mihirsp3178 commented 1 year ago

Getting below error while updating the CodeDeploy Agent Unhandled exception: #<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

mwjones-aws commented 1 year ago

Can you reach codedeploy-commands.us-east-1.amazonaws.com from your host? Could you try to ping it from the host? Please replace us-east-1 with your AWS region.

mwjones-aws commented 1 year ago

Getting below error while updating the CodeDeploy Agent

Could you provide a little more information, including more logs/output? Was the new CodeDeployAgent installed?

mihirsp3178 commented 1 year ago

I tried the whole update process again and now i am getting below error after sudo ./install auto I, [2023-05-22T15:43:41.104312 #19246] INFO -- : Starting Ruby version check. I, [2023-05-22T15:43:41.104615 #19246] INFO -- : Starting update check. I, [2023-05-22T15:43:41.104809 #19246] INFO -- : Attempting to automatically detect supported package manager type for system... I, [2023-05-22T15:43:41.112748 #19246] INFO -- : Checking AWS_REGION environment variable for region information... I, [2023-05-22T15:43:41.112944 #19246] INFO -- : Checking EC2 metadata service for region information... I, [2023-05-22T15:43:41.126774 #19246] INFO -- : Checking AWS_DOMAIN environment variable for domain information... I, [2023-05-22T15:43:41.127078 #19246] INFO -- : Checking EC2 metadata service for domain information... I, [2023-05-22T15:43:41.134459 #19246] INFO -- : Downloading version file from bucket aws-codedeploy-ap-south-1 and key latest/LATEST_VERSION... I, [2023-05-22T15:43:41.134828 #19246] INFO -- : Endpoint: https://aws-codedeploy-ap-south-1.s3.ap-south-1.amazonaws.com/latest/LATEST_VERSION W, [2023-05-22T15:43:41.144241 #19246] WARN -- : Could not find version file to download at 'https://aws-codedeploy-ap-south-1.s3.ap-south-1.amazonaws.com/latest/LATEST_VERSION' - Retrying... Attempt: '0' W, [2023-05-22T15:43:42.147415 #19246] WARN -- : Could not find version file to download at 'https://aws-codedeploy-ap-south-1.s3.ap-south-1.amazonaws.com/latest/LATEST_VERSION' - Retrying... Attempt: '1' W, [2023-05-22T15:43:44.152196 #19246] WARN -- : Could not find version file to download at 'https://aws-codedeploy-ap-south-1.s3.ap-south-1.amazonaws.com/latest/LATEST_VERSION' - Retrying... Attempt: '2' W, [2023-05-22T15:43:48.156959 #19246] WARN -- : Could not find version file to download at 'https://aws-codedeploy-ap-south-1.s3.ap-south-1.amazonaws.com/latest/LATEST_VERSION' - Retrying... Attempt: '3' W, [2023-05-22T15:43:56.161572 #19246] WARN -- : Could not find version file to download at 'https://aws-codedeploy-ap-south-1.s3.ap-south-1.amazonaws.com/latest/LATEST_VERSION' - Retrying... Attempt: '

Also i am able to ping the server ping codedeploy-commands.ap-south-1.amazonaws.com PING codedeploy-commands.ap-south-1.amazonaws.com (52.95.88.229) 56(84) bytes of data. 64 bytes from 52.95.88.229 (52.95.88.229): icmp_seq=1 ttl=248 time=1.23 ms 64 bytes from 52.95.88.229 (52.95.88.229): icmp_seq=2 ttl=248 time=1.28 ms 64 bytes from 52.95.88.229 (52.95.88.229): icmp_seq=3 ttl=248 time=1.26 ms 64 bytes from 52.95.88.229 (52.95.88.229): icmp_seq=4 ttl=248 time=1.24 ms 64 bytes from 52.95.88.229 (52.95.88.229): icmp_seq=5 ttl=248 time=1.25 ms

mwjones-aws commented 1 year ago

I'm guessing you may be having problems making HTTPS calls from this instance.

Is this an EC2 instance? How long has it been running?

mihirsp3178 commented 1 year ago

This is a EC2 instance. It Was running from very long time(2-3 years) and suddenly we started facing this issue. Is there any way we can check if instance have problems making HTTPS calls?

mwjones-aws commented 1 year ago

Is there any way we can check if instance have problems making HTTPS calls?

wget https://amazon.com

This is a EC2 instance. It Was running from very long time(2-3 years) and suddenly we started facing this issue

What's your process for patching the instance? Specifically, do you have a process for downloading new Certificate Authority (CA) bundles?

mihirsp3178 commented 1 year ago

I found the exact issue. Somehow I found one openssl installed on /usr/local location.

If the folder /usr/local/ssl/ exists, check that the file /usr/local/ssl/cert.pem exists, if not run following command

I was thinking about deleting new installation, but instead i did sudo ln -s /etc/ssl/certs/ca-certificates.crt /usr/local/ssl/cert.pem

It worked for me and i upgraded Code Deploy Agent to the latest version now.

Thanks @mwjones-aws for all the help & hope this will help others as well.