Re: [pcp] qa/713 certificate issue

To:	Nathan Scott <nathans@xxxxxxxxxx>
Subject:	Re: [pcp] qa/713 certificate issue
From:	Ken McDonell <kenj@xxxxxxxxxxxxxxxx>
Date:	Thu, 11 Apr 2013 06:23:48 +1000
Cc:	PCP Mailing List <pcp@xxxxxxxxxxx>, Dave Brolley <brolley@xxxxxxxxxx>
Delivered-to:	pcp@xxxxxxxxxxx
In-reply-to:	<2118509281.3098105.1365112490747.JavaMail.root@xxxxxxxxxx>
References:	<5154CA71.3080200@xxxxxxxxxxxxxxxx> <5154CE91.1070506@xxxxxxxxxxxxxxxx> <516631560.605811.1364865050360.JavaMail.root@xxxxxxxxxx> <515B6533.9040405@xxxxxxxxxxxxxxxx> <2118509281.3098105.1365112490747.JavaMail.root@xxxxxxxxxx>
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Thunderbird/17.0.4

On 05/04/13 08:54, Nathan Scott wrote:
> ...
> I'd suggest/recommend going through the step-by-step recipe in the secure 
> conns
> howto (lab.secure.html in pcp-gui tutorial docs, or on oss) - we should be 
> able
> to see at what point the wheels fall off then.  Or at least where your setup 
> is
> deviating from that, and also shows how to dump certs, etc.  Dave may be able
> to help with further interactive debugging on irc while I'm away (he taught me
> eveything I know :)

Thanks for that pointer ... qa/common.secure does not use exactly this recipe, 
which I thought may be an avenue of investigation, but I followed the recipe 
and see a similar failure mode to that observed in qa/712 and qa/713.

The hostname is bozo or bozo.localdomain.

Here's the transcript in the hope that someone can suggest what to try next ...


root@bozo:~/src/pcp/qa# certutil -d sql:/etc/pki/nssdb -S -x -n "Local CA 
certificate" -s "cn=Local PCP Installation, dc=localdomain" -t "CT,," -v 120 -k 
rsa

A random seed must be generated that will be used in the
...
Generating key.  This may take a few moments...

root@bozo:~/src/pcp/qa# certutil -d sql:/etc/pki/nssdb -S -n "PCP Collector 
certificate" -s "cn=bozo.localdomain" -8 "bozo" -c "Local CA certificate" -t 
"u,u,u" -v 120 -k rsa

A random seed must be generated that will be used in the
...

Generating key.  This may take a few moments...

root@bozo:~/src/pcp/qa# sudo /etc/init.d/pcp start
Waiting for pmcd to terminate ...
Starting pmcd ... 
Starting pmlogger ... 
root@bozo:~/src/pcp/qa# ps -ef | grep pmcd
pcp       8263     1  1 06:08 ?        00:00:00 /usr/lib/pcp/bin/pmcd -T 3
root      8483  6247  0 06:08 pts/17   00:00:00 grep --color=auto pmcd

root@bozo:~/src/pcp/qa# PCP_SECURE_SOCKETS=enforce pminfo sample.long.one
WARNING: issuer of certificate received from host bozo is not trusted.
SHA1 fingerprint is ED:F0:83:AB:A6:98:11:05:88:C8:A2:99:68:86:74:70:29:0E:8E:D4
Do you want to accept and save this certificate locally anyway (y/n)? 
[Thu Apr 11 06:09:08] pminfo(8548) Error: __pmGetPDU: fd=1024 hdr read: bad 
len=1
Error: sample.long.one: IPC protocol failure
You have new mail in /var/mail/root
root@bozo:~/src/pcp/qa# PCP_SECURE_SOCKETS=enforce pminfo sample.long.one
Error: sample.long.one: IPC protocol failure

Kaboom ... this is the same failure as the qa tests.

root@bozo:~/src/pcp/qa# certutil -d sql:/etc/pki/nssdb -L -n "Local CA 
certificate" -a
-----BEGIN CERTIFICATE-----
MIIB9DCCAV2gAwIBAgIFAJtA5QswDQYJKoZIhvcNAQEFBQAwPjEbMBkGCgmSJomT
8ixkARkWC2xvY2FsZG9tYWluMR8wHQYDVQQDExZMb2NhbCBQQ1AgSW5zdGFsbGF0
aW9uMB4XDTEzMDQxMDIwMDMzMFoXDTIzMDQxMDIwMDMzMFowPjEbMBkGCgmSJomT
8ixkARkWC2xvY2FsZG9tYWluMR8wHQYDVQQDExZMb2NhbCBQQ1AgSW5zdGFsbGF0
aW9uMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9UAsRskYOascbVwC6A6Gy
ew7AiRrap9BZlJaLyDbpG067FMzd5WuMH2HKkD+qh/uO0rIl0gnots/YtSgEpc/u
RL4gL30yWKly7zy9hTd3VhinTwY8oXV2q6LEJnIuWYwZlt7SQI7Fa4Oixyvd2V7g
0ZafkpjYewlPjb/mfCrUdQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAEe+3NzJVTNF
OcycMF3A/p7JTq61NzjhAsa+GoCCToP7+KU6rmZONXIY7r/3658C7ylvYOfxItNN
gdjkogkJArypes28VZRC+vsJP7Y/jqmoGpYkFZtLWpL72D5l7ttcpHA3gkX4PMQi
zYrJ1sBJ0viby/bTZoj0gNB/j7EpjQPg
-----END CERTIFICATE-----

root@bozo:~/src/pcp/qa# cat /var/log/pcp/pmcd/pmcd.log
Log for pmcd on bozo started Thu Apr 11 06:08:00 2013


active agent dom   pid  in out ver protocol parameters
============ === ===== === === === ======== ==========
pmcd           2                 2 dso i:5  
lib=/var/lib/pcp/pmdas/pmcd/pmda_pmcd.so entry=pmcd_init [0x7fa6977ed7c0]
linux         60                 2 dso i:4  
lib=/var/lib/pcp/pmdas/linux/pmda_linux.so entry=linux_init [0x7fa6973bf3b0]
mmv           70                 2 dso i:4  
lib=/var/lib/pcp/pmdas/mmv/pmda_mmv.so entry=mmv_init [0x7fa6971ad2d0]
logger       106  8310   9  10   2 bin pipe 
cmd=/var/lib/pcp/pmdas/logger/pmdalogger -d 106 
/var/lib/pcp/config/logger/logger.conf
summary       27  8319  11  12   2 bin pipe 
cmd=/var/lib/pcp/pmdas/summary/pmdasummary -d 27 /usr/bin/pmie -x -t 10 
/var/lib/pcp/pmdas/summary/expr.pmie
trivial      250  8332  13  14   2 bin pipe 
cmd=/var/lib/pcp/pmdas/trivial/pmdatrivial -d 250
simple       253  8342  15  16   2 bin pipe 
cmd=/var/lib/pcp/pmdas/simple/pmdasimple -d 253
sample        29  8350  17  18   2 bin pipe 
cmd=/var/lib/pcp/pmdas/sample/pmdasample -d 29
sampledso     30                 2 dso i:5  
lib=/var/lib/pcp/pmdas/sample/pmda_sample.so entry=sample_init [0x7fa696fa1500]
sendmail      15  8366  21  22   2 bin pipe 
cmd=/var/lib/pcp/pmdas/sendmail/pmdasendmail -d 15
trace         10  8377  23  24   2 bin pipe 
cmd=/var/lib/pcp/pmdas/trace/pmdatrace -d 10

Host access list:
00 01 Cur/MaxCons host-spec                               host-mask             
                  lvl host-name
== == =========== ======================================= 
======================================= === ==============
 y  y     0     0 192.168.1.100                           255.255.255.255       
                    0 localhost
    n     0     0 0.0.0.0                                 0.0.0.0               
                    4 *


pmcd: PID = 8263, PDU version = 2
pmcd request port(s):
  sts fd   port  family address
  === ==== ===== ====== =======
  ok  1024 44321 inet   INADDR_ANY
  ok  1025 44321 ipv6   INADDR_ANY
[Thu Apr 11 06:09:07] pmcd(8263) Error: Unable to force secure handshake: I/O 
operation timed out
[Thu Apr 11 06:09:08] pmcd(8263) Error: __pmGetPDU: fd=1026 hdr read: bad len=1
[Thu Apr 11 06:09:53] pmcd(8263) Error: __pmGetPDU: fd=1026 hdr read: bad len=1
root@bozo:~/src/pcp/qa# > 

the mail sent to root when pmcd was restarted seems to be a red herring (it did 
not happen when I restarted pmcd a second time)
        From root@bozo  Thu Apr 11 06:08:02 2013
        To: root@bozo
        Subject: pmlogger_check failed in /etc/init.d/pmlogger
        Date: Thu, 11 Apr 2013 06:08:02 +1000 (EST)
        From: root@bozo (root)

        Restarting primary pmlogger for host "bozo" ... [process 8414]  done
        Latest folio created for 20130411.06.08

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [pcp] qa/713 certificate issue, Nathan Scott Re: [pcp] qa/713 certificate issue, Ken McDonell Re: [pcp] qa/713 certificate issue, Nathan Scott Re: [pcp] qa/713 certificate issue, Ken McDonell <= Re: [pcp] qa/713 certificate issue, Ken McDonell Re: [pcp] qa/713 certificate issue, Nathan Scott

Previous by Date:	pcp updates: python merge, Nathan Scott
Next by Date:	Re: patch pcp-gui fix pmchart view save dialog, Frank Ch. Eigler
Previous by Thread:	Re: [pcp] qa/713 certificate issue, Nathan Scott
Next by Thread:	Re: [pcp] qa/713 certificate issue, Ken McDonell
Indexes:	[Date] [Thread] [Top] [All Lists]