help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(resolved!) Re: ANNOYING Key Trust Issue. help.

From: Adam M. Dunn
Subject: (resolved!) Re: ANNOYING Key Trust Issue. help.
Date: Mon, 28 Nov 2005 12:32:44 -0600 (CST) 
Ok all.  I don't know the details of WHY this fixed it, but it did.
Here's what I did:

Normally when I build Cfengine binaries for a platform I use a custom
script I wrote to unpack BerkeleyDB, OpenSSL, and Cfengine and build them
all at the same time with my common config options, then zip them up in a 
tar.gz for distribution.  This way I always ensure a consistantly built
package that doesn't rely on an OS distribution's take on compiling
something.

The problem was OpenSSL on the client.  My client was running SuSE 9.3
64bit on Opteron.  I was building openssl-0.9.7d with default options for
that platform which means "./Configure linux-x86-64; make".  Everything
compiled fine, and so did Cfengine.  However, since this problem seemed
to be a Cfengine Key issue I started investigating OpenSSL.  I went 
ahead and rebuilt CFengine using the SuSE RPM based OpenSSL instead
"--with-openssl=/usr", which is also the same version I was using, and the
remote copy mechanism started working.  This leads me to believe the SuSE
people did some manual modification of the build options under OpenSSL to
make it build better under Linux-x86-64, so it must be an OpenSSL 
configure script issue with the Linux-x86-64 option (for those who are
familiar with building OpenSSL).  Anyway, the RPM solution is great, it
solves my problem, but man I hate when things don't work like they're
documented.  I guess Linux 64 support out of the box is still lagging in
some areas.


PS. Thanks Ed for trying to assist.



~Adam




On Wed, 23 Nov 2005, Adam M. Dunn wrote:

> 
> Hi all.  Don't you hate it when you get hung up on the most basic
> basic problem...  I've been using cfengine for quite a while, and am in
> the process of setting all back up on a new network with new servers and
> everything, so I've done this before.  I know pretty well all about how
> the copies and key exhanging works, but am running into a REALLY annoying
> problem.  I've spent way more time that I feel I should be on a problem
> like this so I'm wondering if it's not a bug or something.  I've imported
> some of my old cfengine policies to test, and even rewritten very basic
> ones to try and get it to work.  Here's my problem:
> 
> I can't get my new policy host to trust keys or copy files around.  I've
> tried importing some of my old cfengine policies that work for testing, 
> I've rewritten very basic ones to try and get it to work without using
> variables. I've also tried manually copying keys around and no luck.  All
> clients are in DNS, and I've also tried binding cfservd to interfaces.  I
> even tried the nasty SkipVerify option.  
> 
> I'll list config files and debug output.  If someone can help I'd really
> appreciate it!  Server is lucy.mydomain.com (10.10.13.12), client is
> snake.mydomain.com (10.10.13.99).  All are running version 2.1.17 and
> compiled against the same versions of db-4.2.52 and openssl-0.9.7d with
> the same settings.
> 
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]