Open andy-dufour opened 7 years ago
I apologize for any pain updating the cipher suite has caused. chef/chef-server/pull/1007 was merged yesterday and addressed some compatibility with AWS Classic ELBs by adding AES256-GCM-SHA384 back into the cipher suite. It is possible this change will also address this issue by preventing the problem from arising, however this will need to be verified with either a version of chef-server from the current
channel or the next release.
Also, it is possible limiting TLS to v1.2 in server may have been too restrictive for pushy with pushy's current configuration.
/cc @chef/server-team
@andy-dufour Thank you for reporting the issue. We will try reproducing this with push-jobs-server2, since issues with push-jobs-server1 will not be fixed.
After install, you'll receive the following error anytime a pushy API is hit:
2016-11-09 18:21:19.923 [error] <0.279.0> Webmachine error at path "/organizations/delivery/pushy/node_states" : {throw,{error,{conn_failed,{error,closed}}},[{pushy_http_common,fetch_authenticated,2,[{file,"src/pushy_http_common.erl"},{line,44}]},{pushy_org,fetch_org_id,1,[{file,"src/pushy_org.erl"},{line,38}]},{pushy_object,fetch_org_id,1,[{file,"src/pushy_object.erl"},{line,45}]},{pushy_wm_base,verify_request_signature,2,[{file,"src/pushy_wm_base.erl"},{line,157}]},{pushy_wm_base,is_authorized,2,[{file,"src/pushy_wm_base.erl"},{line,135}]},{webmachine_resource,resource_call,3,[{file,"src/webmachine_..."},...]},...]}
This was caused by TLS and cipher suite changes on the Chef server, and pushy servers http client libraries can no longer make requests to the Chef server with the new defaults added via this commit:
https://github.com/chef/chef-server/commit/ec8a5e25646ef278f74c37adb0a3054bc256003d
To validate this was the problem, on a chef-server 12.10 machine I ensured push server failed (
knife node status
returned a http status code 500, and pushy server logs showed the above)I set the following in my chef-server.rb:
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
nginx['ssl_ciphers'] = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
and reconfigured chef server.
knife node status
now returns the correct results.