Endpoint does not connect to master because of too weak CA signature digest algorithm

Fernien · September 11, 2019, 7:27am

Hey,
i installed a new Proxmox Server and want to monitor it. I couldnt find the older icinga2 version i was using before for this server. I configured it like all my Endpoints who are all connected to satelites.

As far as I’m concerned this is causing the problem:

warning/ApiListener: Certificate validation failed for endpoint ‘porkpie.example.lan’: code 68: CA signature digest algorithm too weak

I cant make a new CA cert since I don’t have the time to roll it out on every server which is using this CA. Is there any way i can make icinga accept this ca cert?

anon66228339 · September 11, 2019, 10:36am

If you use check_pve you can enable the --insecure switch.

usage: check_pve.py [-h] -e API_ENDPOINT -u API_USER -p API_PASSWORD [-k] -m
                    {cluster,cpu,memory,storage,io_wait,updates,services,subscription,vm,replication}
                    [-n NODE] [--name NAME] [--vmid VMID]
                    [--ignore-service NAME] [-w TRESHOLD_WARNING]
                    [-c TRESHOLD_CRITICAL] [-M]

Check command for PVE hosts via API

optional arguments:
  -h, --help            show this help message and exit

API Options:
  -e API_ENDPOINT, --api-endpoint API_ENDPOINT
                        PVE api endpoint hostname
  -u API_USER, --username API_USER
                        PVE api user (e.g. icinga2@pve or icinga2@pam,
                        depending on which backend you have chosen in proxmox)
  -p API_PASSWORD, --password API_PASSWORD
                        PVE api user password
  -k, --insecure        Don't verify HTTPS certificate

Check Options:
  -m {cluster,cpu,memory,storage,io_wait,updates,services,subscription,vm,replication}, --mode {cluster,cpu,memory,storage,io_wait,updates,services,subscription,vm,replication}
                        Mode to use.
  -n NODE, --node NODE  Node to check (necessary for all modes except cluster)
  --name NAME           Name of storage or vm
  --vmid VMID           ID of virtual machine or container
  --ignore-service NAME
                        Ignore service NAME in checks
  -w TRESHOLD_WARNING, --warning TRESHOLD_WARNING
                        Warning treshold for check value
  -c TRESHOLD_CRITICAL, --critical TRESHOLD_CRITICAL
                        Critical treshold for check value
  -M                    Values are shown in MB (if available). Tresholds are
                        also treated as MB values

dnsmichi · September 12, 2019, 12:25pm

Can you share the text output of the public CA certificate?

openssl x509 -in ca.crt -text

Also, which version of icinga is running on both sides? icinga2 --version.

Cheers,
Michael

Fernien · September 12, 2019, 1:17pm

I would prefer not to install a lot of extra things to do this like the check_pve thing.

CA certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e2:00:f5:a9:c0:82:c5:a1
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = de, ST = rlp, L = zw, O = xinux, OU = it, CN = xin-ca
Validity
Not Before: Oct 2 10:55:09 2015 GMT
Not After : Sep 29 10:55:09 2025 GMT
Subject: C = de, ST = rlp, L = zw, O = xinux, OU = it, CN = xin-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:97:84:95:ee:2b:b6:cc:ff:13:3b:41:90:ae:43:
4b:81:31:9b:79:80:04:ce:ae:b2:dc:76:a2:03:8d:
7f:e2:97:85:94:a3:e5:47:b7:f1:eb:78:4a:81:c9:
34:d3:44:c4:b4:e9:cc:9e:a4:32:17:c0:de:f4:42:
41:97:f9:ed:93:47:03:49:9d:57:ca:8c:f1:9f:d8:
3a:04:45:44:0b:ec:bb:a3:5c:c2:93:12:b4:9d:b2:
58:42:48:61:d7:4d:89:39:8d:bb:c0:a9:79:ce:f3:
56:31:8d:47:b5:7c:2f:19:3b:c0:a3:81:d5:e2:d0:
92:1e:7b:8c:b6:2a:57:b8:e0:ee:ac:f9:eb:49:5b:
e2:e4:60:c5:64:c8:6e:75:e3:c8:c8:eb:00:20:30:
24:a2:9d:51:36:23:4f:db:1d:f8:76:f7:27:12:74:
45:64:be:2d:9b:7b:c9:c4:93:10:bf:4a:f7:a5:95:
43:48:7c:6a:3a:18:2b:79:1e:71:75:e4:e7:f8:70:
6b:04:c7:59:f7:9e:60:19:68:3d:27:75:d6:f9:56:
12:ae:01:39:5f:47:bf:ed:f9:83:06:b6:be:c8:39:
13:76:23:4a:5e:80:a8:60:a4:e5:99:80:6f:8d:a3:
51:7d:e4:eb:30:72:b7:ba:8c:b6:b7:10:0c:24:fd:
34:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
9A:5E:FC:AB:D8:34:A7:CA:93:8A:EA:CC:C5:19:CA:F2:D7:04:3E:F9
X509v3 Authority Key Identifier:
keyid:9A:5E:FC:AB:D8:34:A7:CA:93:8A:EA:CC:C5:19:CA:F2:D7:04:3E:F9
DirName:/C=de/ST=rlp/L=zw/O=xinux/OU=it/CN=xin-ca
serial:E2:00:F5:A9:C0:82:C5:A1
X509v3 Subject Alternative Name:

            X509v3 Issuer Alternative Name: 
                <EMPTY>

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www.xinux.de/ca/xin-ca.crl

    Signature Algorithm: sha1WithRSAEncryption
         8c:40:2d:09:97:ac:c2:50:32:00:75:3f:2e:4c:d2:39:ac:4e:
         03:08:6c:91:43:a4:94:b6:4a:a3:1d:53:2f:ad:67:67:fc:3e:
         0d:46:3d:5f:c2:59:52:80:9a:45:65:64:8b:bc:a4:a7:68:7c:
         f6:f6:6a:ea:49:f9:db:c3:87:81:dc:b9:9c:ad:20:97:1d:12:
         88:4d:a1:86:c9:9b:1f:35:c5:5d:34:22:2b:21:33:2a:7d:44:
         01:12:e3:1e:7f:26:48:c0:9c:85:7c:9f:de:47:18:1d:55:7b:
         6f:fc:06:d6:d0:7d:96:59:05:84:16:4d:9d:0c:c0:60:44:d2:
         84:b3:dc:84:4c:c4:c0:9c:7e:c7:aa:23:a8:52:d5:ee:bd:50:
         b1:00:7f:be:7f:86:13:85:70:66:be:33:01:51:c3:6e:fb:33:
         c8:fe:4d:d9:2a:03:11:58:8c:f1:00:35:5e:01:aa:e0:89:fa:
         c0:d2:72:f3:73:e1:bb:55:44:f7:49:dd:a5:14:4c:c1:88:3e:
         eb:78:41:9b:63:1f:d9:f2:fd:6d:4c:bc:e2:c0:f9:ce:c9:8b:
         c0:be:66:7a:b2:70:ca:0d:96:36:b6:8d:a2:28:1f:b8:2f:e9:
         28:c7:97:02:5f:c6:ba:97:8a:80:d4:e7:c3:0d:6c:36:c3:3c:
         4f:b8:cc:61
-----BEGIN CERTIFICATE-----
MIIERTCCAy2gAwIBAgIJAOIA9anAgsWhMA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNV
BAYTAmRlMQwwCgYDVQQIDANybHAxCzAJBgNVBAcMAnp3MQ4wDAYDVQQKDAV4aW51
eDELMAkGA1UECwwCaXQxDzANBgNVBAMMBnhpbi1jYTAeFw0xNTEwMDIxMDU1MDla
Fw0yNTA5MjkxMDU1MDlaMFYxCzAJBgNVBAYTAmRlMQwwCgYDVQQIDANybHAxCzAJ
BgNVBAcMAnp3MQ4wDAYDVQQKDAV4aW51eDELMAkGA1UECwwCaXQxDzANBgNVBAMM
Bnhpbi1jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJeEle4rtsz/
EztBkK5DS4Exm3mABM6ustx2ogONf+KXhZSj5Ue38et4SoHJNNNExLTpzJ6kMhfA
3vRCQZf57ZNHA0mdV8qM8Z/YOgRFRAvsu6NcwpMStJ2yWEJIYddNiTmNu8Cpec7z
VjGNR7V8Lxk7wKOB1eLQkh57jLYqV7jg7qz560lb4uRgxWTIbnXjyMjrACAwJKKd
UTYjT9sd+Hb3JxJ0RWS+LZt7ycSTEL9K96WVQ0h8ajoYK3kecXXk5/hwawTHWfee
YBloPSd11vlWEq4BOV9Hv+35gwa2vsg5E3YjSl6AqGCk5ZmAb42jUX3k6zByt7qM
trcQDCT9ND0CAwEAAaOCARQwggEQMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQD
AgEGMB0GA1UdDgQWBBSaXvyr2DSnypOK6szFGcry1wQ++TCBhgYDVR0jBH8wfYAU
ml78q9g0p8qTiurMxRnK8tcEPvmhWqRYMFYxCzAJBgNVBAYTAmRlMQwwCgYDVQQI
DANybHAxCzAJBgNVBAcMAnp3MQ4wDAYDVQQKDAV4aW51eDELMAkGA1UECwwCaXQx
DzANBgNVBAMMBnhpbi1jYYIJAOIA9anAgsWhMAkGA1UdEQQCMAAwCQYDVR0SBAIw
ADAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vd3d3LnhpbnV4LmRlL2NhL3hpbi1j
YS5jcmwwDQYJKoZIhvcNAQEFBQADggEBAIxALQmXrMJQMgB1Py5M0jmsTgMIbJFD
pJS2SqMdUy+tZ2f8Pg1GPV/CWVKAmkVlZIu8pKdofPb2aupJ+dvDh4HcuZytIJcd
EohNoYbJmx81xV00IishMyp9RAES4x5/JkjAnIV8n95HGB1Ve2/8BtbQfZZZBYQW
TZ0MwGBE0oSz3IRMxMCcfseqI6hS1e69ULEAf75/hhOFcGa+MwFRw277M8j+Tdkq
AxFYjPEANV4BquCJ+sDScvNz4btVRPdJ3aUUTMGIPut4QZtjH9ny/W1MvOLA+c7J
i8C+ZnqycMoNlja2jaIoH7gv6SjHlwJfxrqXioDU58MNbDbDPE+4zGE=
-----END CERTIFICATE-----

Icinga versions:
Endpoint (Proxmox): version: r2.10.5-1
Satelite: version: v2.6.2
Master: version: r2.6.2-1

dnsmichi · September 12, 2019, 1:34pm

is the culprit, modern systems deny to use this old algorithm and suggested something like Signature Algorithm: sha256WithRSAEncryption or harder instead.

This has nothing to do with the plugin check_pve, but is a problem with the cluster communication. Also, having 2.6 on the master and satellite comes with problems with using a newer agent. 2.6 is out of support, not sure why they are that old. Upgrading them should be on your list.

Hence I am not sure if an upgrade solves this, since the CA won’t be touched with that. Also, the CA doesn’t look like as if it was created by Icinga itself but instead, created with xinux.de.

There’s the possibility to re-new the public CA certificate with generating a CA CSR and signing it again with the private CA key, inspired by this blog post and question.

This of course requires a modern openssl which uses SHA256 by default. Older openssl binaries do not support this, RHEL5 and SLES11 come to mind with OpenSSL 0.9.8.

cd /var/lib/icinga2/ca
openssl x509 -x509toreq -in ca.crt -signkey ca.key -out regenerated-ca.csr
cat > icinga2-ext.cnf <<EOF
[v3]
basicConstraints = critical,CA:true
EOF
openssl x509 -in regenerated-ca.csr -out regenerated-ca.crt -signkey ca.key -req -days 5475 -extensions v3 -extfile icinga2-ext.cnf
mv ca.crt ca.crt.borked
mv regenerated-ca.crt ca.crt

The new ca.crt file needs to be deployed to all Icinga nodes then.

Unfortunately I don’t see any other way than replacing the public CA certificate, the TLS handshake is something controlled by OpenSSL itself without configurable user settings. Also, SHA1 is deprecated and has been removed from many public applications as well.

Cheers,
Michael

kwisatz · November 22, 2019, 8:54pm

The same message can also show up when not the CA, but the server certificate uses a cipher that is considered too weak. In my case, the CA was fine, however, the server’s certificate was indeed a sha1WithRSAEncryption.

Leaving my original post here below, because yes, it took me a while to figure out where to look. In the Debian bug report, someone mentioned this, which made me realize my mistake:

Thank you for your feedback. You are right. I do not know why I was
checking the CA certificate only and not the server one. The CA one is
signed with SHA256 while the server one is signed with SHA1.

Original reply:

I’m seeing the same thing with a CA that uses sha256WithRSAEncryption between a Debian Stretch master and a Debian Buster client.

I’ve looked at some related threads (e.g. https://github.com/openssl/openssl/issues/3558), and I’ve seen that MD and SHA1 have been deprecated, but I don’t see SHA256 having received the same treatment.

CA:

root@host:~# openssl x509 -in /var/lib/icinga2/ca/ca.crt -noout -text                                                                          
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            9d:[…]:bd
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Icinga CA

Versions:

| Machine | Master   | Agent    |
| Debian  | 9.11     | 10.2     |
| Icinga2 | 2.11.2-1 | 2.11.2-1 |
| openssl | 1.1.0l-1 | 1.1.1d-0 |

So could this be a problem with openssl?

I have further found this bug report, which also, eventually, mentions a sha1WithRSAEncryption, but applying the patch mentioned does also work here (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912604):

cat /etc/ssl/openssl.cnf
…
[system_default_sect]
MinProtocol = TLSv1.2
-CipherString = DEFAULT@SECLEVEL=2
+CipherString = DEFAULT@SECLEVEL=1