Status: Accepted
Owner: [email protected]
Labels: Type-Enhancement Priority-Medium Milestone-Release2.10
New issue 853 by [email protected]: SSL keys with different encodings cause
certificate inconsistencies
http://code.google.com/p/ganeti/issues/detail?id=853
What steps will reproduce the problem?
1. Create a cluster with a few nodes on Debian squeeze.
2. For all nodes except the master:
- offline the node
- reinstall the node with Ubuntu
- add the node to the cluster again
3. Run 'gnt-cluster verify'
What is the expected output? What do you see instead?
Cluster verify will complain that 'server.pem' is inconsistent between the
master node and the new nodes. Inspecting the server.pem files show that
the private key is differing, but the certificate part is the same.
The problem is that on adding a node, the server.pem key is loaded from the
master node, then written to the disk using the openssl library.
Apparently, a newer library encodes the private key differently than the
old one, which is why the private key of the newly added nodes differs from
the key that was originally written with a different openssl version.
Workaround:
Running 'gnt-cluster renew-crypto --new-server-certificate' rewrites all
server.pems with the new encoding and from then on adding new nodes will
not cause any problems.
Fixes:
- Check in tools/node_daemon_setup.py if the encoding differs and emit a
warning and advise to run renew-crypto.
- Do not re-incode the key, but write out exactly the file that the new
node received from the master.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
