rsyslog connections fail with certificate verification errors after upgrade to 1.24.2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
juju-core |
Fix Released
|
High
|
Andrew Wilkins | ||
1.24 |
Fix Released
|
Critical
|
Andrew Wilkins |
Bug Description
After upgrading a 1.24.0 envrion to 1.24.2 all non-state unit and machine agents are unable to connect to rsyslogd and continually report the following:
2015-07-15 00:41:36 DEBUG juju.worker runner.go:196 "rsyslog" started
2015-07-15 00:41:36 DEBUG juju.worker.rsyslog worker.go:222 making syslog connection for "juju-machine-8" to 10.254.26.3:6514
2015-07-15 00:41:36 DEBUG juju.worker runner.go:203 "rsyslog" done: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "juju-generated CA for environment \"rsyslog\"")
2015-07-15 00:41:36 ERROR juju.worker runner.go:223 exited "rsyslog": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "juju-generated CA for environment \"rsyslog\"")
2015-07-15 00:41:36 INFO juju.worker runner.go:261 restarting "rsyslog" in 3s
On the server side, the rsyslogd logs look like this following rsyslogd's restart after the upgrade:
Jul 15 00:12:26 ip-10-254-26-3 rsyslogd: [origin software="rsyslogd" swVersion="7.4.4" x-pid="8608" x-info="http://
Jul 15 00:12:26 ip-10-254-26-3 rsyslogd: [origin software="rsyslogd" swVersion="7.4.4" x-pid="8720" x-info="http://
Jul 15 00:12:26 ip-10-254-26-3 rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://
Jul 15 00:12:26 ip-10-254-26-3 rsyslogd-2221: module 'imuxsock' already in this config, cannot be added
[try http://
Jul 15 00:12:26 ip-10-254-26-3 rsyslogd: rsyslogd's groupid changed to 104
Jul 15 00:12:26 ip-10-254-26-3 rsyslogd: rsyslogd's userid changed to 101
Jul 15 00:12:26 ip-10-254-26-3 rsyslogd-2039: Could no open output pipe '/dev/xconsole': No such file or directory [try http://
Jul 15 00:12:27 ip-10-254-26-3 rsyslogd-2089: netstream session 0x7fbd88006490 will be closed due to error
[try http://
Jul 15 00:12:27 ip-10-254-26-3 rsyslogd-2089: netstream session 0x7fbd88005a00 will be closed due to error
[try http://
Jul 15 00:12:27 ip-10-254-26-3 rsyslogd-2089: netstream session 0x7fbd88007f20 will be closed due to error
[try http://
Jul 15 00:12:27 ip-10-254-26-3 rsyslogd-2089: netstream session 0x7fbd880059c0 will be closed due to error
[try http://
...
Rsyslog 2089 error refers to certificate verification issues.
What I did to reproduce (on EC2):
# With 1.24.0
juju bootstrap --upload-tools
juju ensure-availability # I did this, not sure if relevant
juju deploy ubuntu -n 3
# wait for things to stabilise
juju set-env tools-url=https:/
juju upgrade-juju --version="1.24.2"
Note: I was unable to reproduce the problem doing the same steps (but without HA) using the local provider.
Changed in juju-core: | |
status: | New → Triaged |
Changed in juju-core: | |
importance: | Critical → High |
milestone: | none → 1.25.0 |
Changed in juju-core: | |
status: | Triaged → In Progress |
assignee: | nobody → Andrew Wilkins (axwalk) |
status: | In Progress → Triaged |
Changed in juju-core: | |
status: | In Progress → Fix Committed |
Changed in juju-core: | |
status: | Fix Committed → Fix Released |
FWIW, I repro'd with ensure-availability but could not without ensure- availability. Not sure why that's relevant yet.