search

datacenter / ACI-Pre-Upgrade-Validation-Script

A script to run validations to detect potential issues that may cause an ACI fabric upgrade to fail
https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/
Apache License 2.0
43 stars 27 forks source link

APIC CA Cert Validation failing when running on 6.0.7 or 6.1.1 code #171

Open cody-skidmore opened 1 month ago

cody-skidmore commented 1 month ago

When running the 2.2.1 script against an APIC running 6.0.7e or 6.1.1f, the following is seen

[Check 57/67] APIC CA Cert Validation...
openssl cmd issue, send logs to TAC                                                      ERROR !!

It seems that when calling the /bin/openssl on these versions, we get a symbol lookup error:

/bin/openssl: symbol lookup error: /bin/openssl: undefined symbol: Camellia_set_key, version OPENSSL_1_1_0

Removing the /bin/ path on the openssl command allows the checks to run on this version. The need is to determine if the path is required on earlier versions of ACI for this check or if it should just be omitted. Additional verbosity for the error message would also be helpful.

From:

Generate csr for certreq

        cmd = '/bin/openssl genrsa -out ' + key_pem + ' 2048'
        cmd = cmd + ' && /bin/openssl req -config ' + cert_gen_filename + ' -new -key ' + key_pem + ' -out ' + csr_pem
        cmd = cmd + ' && /bin/openssl dgst -sha256 -hmac ' + passphrase + ' -out ' + sign + ' ' + csr_pem
        logging.debug('cmd = '+''.join(cmd))
        genrsa_proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
        genrsa_proc.communicate()[0].strip()
        if genrsa_proc.returncode != 0:
            print_result(title, ERROR, 'openssl cmd issue, send logs to TAC')
            return ERROR

To:

Generate csr for certreq

        cmd = 'openssl genrsa -out ' + key_pem + ' 2048'
        cmd = cmd + ' && openssl req -config ' + cert_gen_filename + ' -new -key ' + key_pem + ' -out ' + csr_pem
        cmd = cmd + ' && openssl dgst -sha256 -hmac ' + passphrase + ' -out ' + sign + ' ' + csr_pem
        logging.debug('cmd = '+''.join(cmd))
        genrsa_proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
        genrsa_proc.communicate()[0].strip()
        if genrsa_proc.returncode != 0:
            print_result(title, ERROR, 'openssl cmd issue, send logs to TAC')
            return ERROR