Connection issues when connecting to centos6 client no shared cipher

basd82 · November 3, 2023, 3:22pm

My centos6 loadbalancer appliance is not connecting to our centos satellite

We get error these errors:

critical/ApiListener: Client TLS handshake failed (from [123.4.5.6]:60906): no shared cipher

The client version info:

icinga2 - The Icinga 2 network monitoring daemon (version: 2.12.2-1)

Copyright (c) 2012-2023 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: Loadbalancer.org Appliance v8.8.1 LBOS-7
  Platform version: ancer.org Appliance v8.8.1 LBOS-7
  Kernel: Linux
  Kernel version: 4.9.182-lb2-pv
  Architecture: x86_64

Build information:
  Compiler: GNU 7.3.1
  Build host: runner-hh8q3bz2-project-322-concurrent-0
  OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013

Application information:

General paths:
  Config directory: /etc/icinga2
  Data directory: /var/lib/icinga2
  Log directory: /var/log/icinga2
  Cache directory: /var/cache/icinga2
  Spool directory: /var/spool/icinga2
  Run directory: /var/run/icinga2

Old paths (deprecated):
  Installation root: /usr
  Sysconf directory: /etc
  Run directory (base): /var/run
  Local state directory: /var

Internal paths:
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /var/run/icinga2/icinga2.pid

The Satelite version info :

icinga2 - The Icinga 2 network monitoring daemon (version: r2.14.0-1)

Copyright (c) 2012-2023 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <https://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: Ubuntu
  Platform version: 22.04.3 LTS (Jammy Jellyfish)
  Kernel: Linux
  Kernel version: 5.15.0-88-generic
  Architecture: x86_64

Build information:
  Compiler: GNU 11.3.0
  Build host: runner-hh8q3bz2-project-575-concurrent-0
  OpenSSL version: OpenSSL 3.0.2 15 Mar 2022

Application information:

General paths:
  Config directory: /etc/icinga2
  Data directory: /var/lib/icinga2
  Log directory: /var/log/icinga2
  Cache directory: /var/cache/icinga2
  Spool directory: /var/spool/icinga2
  Run directory: /run/icinga2

Old paths (deprecated):
  Installation root: /usr
  Sysconf directory: /etc
  Run directory (base): /run
  Local state directory: /var

Internal paths:
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /run/icinga2/icinga2.pid

I know the satalite is running a newer version, but for centos there is no newer version availebol
Does that mean the client can connect ?

lorenz · November 7, 2023, 3:20pm

CentOS 7 is still a thing, although only until the next year (2024). And yes, it probably has a far too old OpenSSL and therefore the connection fails.

basd82 · November 7, 2023, 3:31pm

is there a workaround this ?

lorenz · November 7, 2023, 3:36pm

https://icinga.com/docs/icinga-2/latest/doc/09-object-types/#apilistener
The ApiListener objects allows you to use old TLS stuff on your own risk.
The real solution is, of course, to remove the EOL systems in your network.

basd82 · November 7, 2023, 4:12pm

Only things i can’t it’s our loadbalancer appliance

Do you witch cipher i must add to get it working ?

lorenz · November 12, 2023, 1:04pm

No idea to be honest, you could use something like https://testssl.sh/ to retrieve the cipherlist which is offered by the appliance