Uploaded image for project: 'MCollective'
  1. MCollective
  2. MCO-771

MCollective no longer ignores CN in ActiveMQ connector certificate

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: MCO 2.8.8
    • Fix Version/s: MCO 2.11.0
    • Component/s: CLI, DOCS
    • Labels:
      None
    • Environment:

      Ubuntu 16.04

    • Template:
    • Team:
      Dumpling
    • Story Points:
      1
    • Sprint:
      FF 2017-05-16, FF 2017-05-30
    • Release Notes:
      Not Needed

      Description

      Ever since upgrading puppet-agent package from 1.5.2-1xenial to 1.5.3-1xenial, I no longer can run any MCollective queries:

      ??supervisor@mco1:~$ mco find -v
      error 2016/07/25 18:47:56: activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@activemq1.example.com:61614 failed: hostname "activemq1.example.com" does not match the server certificate
      error 2016/07/25 18:47:56: activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@activemq1.example.com:61614 failed: hostname "activemq1.example.com" does not match the server certificate
      error 2016/07/25 18:47:56: activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@activemq2.example.com:61614 failed: hostname "activemq2.example.com" does not match the server certificate
      error 2016/07/25 18:47:56: activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@activemq1.example.com:61614 failed: hostname "activemq1.example.com" does not match the server certificate
      error 2016/07/25 18:47:56: activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@activemq1.example.com:61614 failed: hostname "activemq1.example.com" does not match the server certificate
      ^C
      The find application failed to run: Could not connect to ActiveMQ Server:

      Could not connect to ActiveMQ Server: (RuntimeError)
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/connector/activemq.rb:273:in `rescue in connect' <----
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/connector/activemq.rb:221:in `connect'
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/client.rb:36:in `block in initialize'
      from /opt/puppetlabs/puppet/lib/ruby/2.1.0/timeout.rb:75:in `timeout'
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/client.rb:35:in `initialize'
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/rpc/client.rb:49:in `new'
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/rpc/client.rb:49:in `initialize'
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/rpc.rb:73:in `new'
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/rpc.rb:73:in `rpcclient'
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/application.rb:362:in `rpcclient'
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/application/find.rb:5:in `main'
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/application.rb:293:in `run'
      from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/mcollective/applications.rb:23:in `run'
      from /opt/puppetlabs/bin/mco:33:in `<main>'
      supervisor@mco1:~$??

      Downgrading helps.

      Note that CN of my Activemq nodes is "mcollective-node", which does not match DNS, nor according to the docs, should it:

      "Unlike with a puppet master, the cert’s common name can be anything; it doesn’t have to be the node’s hostname or FQDN."
      https://docs.puppet.com/mcollective/deploy/middleware/activemq_keystores.html#option-b-get-a-new-certificate-from-the-puppet-ca

      Long story short, this update breaks many installations, which were done according to the docs. It would have been nice to get a notice in advance...

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ernetas Ernestas Lukoševičius
            • Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Zendesk Support