[osiris] Re: HELP! Hours of session key negotiation failure

Justis Peters josiris at vitrumenterprises.com
Thu Nov 9 17:44:00 EST 2006 

John,

My guess here is a total shot in the dark, but you've tried just about
everything one can imagine.  I feel for you.

Is it possible that you have extremely tight firewalling enabled that is
blocking outgoing communication from the host back to the server?  The
messages in the logs look like they could be exactly this.  Maybe the
"error with SSL negotiation" is that it never manages to send its
session key, even though it has one.  It is the "daemon did not present
session key" message on the osirismd side that makes me suspect this.

Whatever the solution is, I wish you good luck.  I hope you get to sleep
tonight.

Kind regards,
Justis Peters
Total Home Integration
www.totalhomeintegration.com

John A. Sullivan III wrote:
> Sorry for the shout but it is for real.  We have an emergency
> replacement server we're trying to put into production and, as a policy,
> we always place our systems under Osiris before putting them into
> production.
>
> We have been hung up for hours trying to get Osiris on this emergency
> host.  When we try to connect to the host, we get:
> !! error: session key negotiation with remote host failed.
>
> The time stamps are correct on both devices.  We have tried manually
> placing the osiris root CA cert on the client and deleting it.  We've
> wiped the client installation (it was copied from another server) and
> recompiled and reinstalled.  We've recycled the management console.
> We've tried different permissions on the /usr/local/osirisd and the CA
> cert it contains.  I'm at my wit's end.  More details below.
>
> Here is the sequence from the osirismd syslog:
> [400][mail1dc1.atlas][info] received status request.
> [600][mail1dc1.atlasgroup.net][err] daemon did not present session key.
> [600][mail1dc1.atlasgroup.net][err] session key negotiation failed.
>
> Here is the syslog on the client:
> [info] using root directory: /usr/local/osiris
> [err] loading root cert: /usr/local/osiris/osiris_root.pem.
> [info] SSL server running.
> [info] connection from: 192.168.26.2
> [err] error with SSL negotiation.
>
> If we manually copy in the root CA cert to /usr/local/osiris after
> checking the hash to make sure it is the same root CA cert as on the
> management console and with root ownership (-rw------- 1 root root 1338
> Nov  9 16:49 osiris_root.pem), and restarting osirisd, the client syslog
> looks like this:
> [info] using root directory: /usr/local/osiris
> [err] loading root cert: /usr/local/osiris/osiris_root.pem.
> [info] SSL server running.
> [info] server started on port: 2265.
> [info] connection from: 192.168.26.2
> [err] error with SSL negotiation.
>
> The management syslog is the same as before.
>
> If we change ownership of the root CA cert to osiris (-rw------- 1
> osiris osiris 1338 Nov  9 16:49 osiris_root.pem), and restart osirisd,
> we get:
> [info] using root directory: /usr/local/osiris
> [info] SSL server running.
> [info] server started on port: 2265.
> [info] connection from: 192.168.26.2
> [err] error with SSL negotiation.
>
> So the CA cert load error goes away but the communication with the
> management console still fails.  The management syslog is the same as
> before.
>
> We have many other hosts that are working just fine.  There is one thing
> different about this client.  The client is living on a Xen 2.0.7
> virtual machine based upon fedora core 3.  All the other VMs are FC3
> using openssl-0.9.7a-42.2.  This device required fedora core 5 even
> though it is using the old Xen kernel.  Thus, udev is broken.  It is
> using openssl-0.9.8a-5.4.
>
> Just in case the agent compiled on the FC3 devices was linking to a
> different set of libraries, e.g., libssl.so.4 instead of libssl.so.6, I
> recompiled the agent on the new client and installed from scratch after
> manually deleting all traces of the previous osiris installation.
> Unfortunately, that did not fix the problem.
>
> I running out of options and am facing a second all-nighter to fix this
> emergency.  Any ideas on what to do to make this work? We are using
> osiris 4.1.9.  Thanks VERY much - John
>
>

More information about the osiris mailing list