search

chef-boneyard / opscode-pushy-server

Chef Push Jobs Server
https://docs.chef.io/push_jobs.html
Apache License 2.0
16 stars 10 forks source link

opscode-pushy-server 1.* and Chef-server >= 12.10 do not work oob #154

Open andy-dufour opened 7 years ago

andy-dufour commented 7 years ago

After install, you'll receive the following error anytime a pushy API is hit:

2016-11-09 18:21:19.923 [error] <0.279.0> Webmachine error at path "/organizations/delivery/pushy/node_states" : {throw,{error,{conn_failed,{error,closed}}},[{pushy_http_common,fetch_authenticated,2,[{file,"src/pushy_http_common.erl"},{line,44}]},{pushy_org,fetch_org_id,1,[{file,"src/pushy_org.erl"},{line,38}]},{pushy_object,fetch_org_id,1,[{file,"src/pushy_object.erl"},{line,45}]},{pushy_wm_base,verify_request_signature,2,[{file,"src/pushy_wm_base.erl"},{line,157}]},{pushy_wm_base,is_authorized,2,[{file,"src/pushy_wm_base.erl"},{line,135}]},{webmachine_resource,resource_call,3,[{file,"src/webmachine_..."},...]},...]}

This was caused by TLS and cipher suite changes on the Chef server, and pushy servers http client libraries can no longer make requests to the Chef server with the new defaults added via this commit:

https://github.com/chef/chef-server/commit/ec8a5e25646ef278f74c37adb0a3054bc256003d

To validate this was the problem, on a chef-server 12.10 machine I ensured push server failed ( knife node status returned a http status code 500, and pushy server logs showed the above)

I set the following in my chef-server.rb:

nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" nginx['ssl_ciphers'] = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

and reconfigured chef server.

knife node status now returns the correct results.

rhass commented 7 years ago

I apologize for any pain updating the cipher suite has caused. chef/chef-server/pull/1007 was merged yesterday and addressed some compatibility with AWS Classic ELBs by adding AES256-GCM-SHA384 back into the cipher suite. It is possible this change will also address this issue by preventing the problem from arising, however this will need to be verified with either a version of chef-server from the current channel or the next release.

rhass commented 7 years ago

Also, it is possible limiting TLS to v1.2 in server may have been too restrictive for pushy with pushy's current configuration.

/cc @chef/server-team

PrajaktaPurohit commented 4 years ago

@andy-dufour Thank you for reporting the issue. We will try reproducing this with push-jobs-server2, since issues with push-jobs-server1 will not be fixed.