TLS error when connecting from Ubuntu 16 "Xenia"

wesselt · June 20, 2023, 8:50am

When running the “icigna2 node wizard” on Ubuntu 16 “Xenia”, it fails with a “tlsv1 alert protocol version” during CR auto-signing:

information/cli: Fetching public certificate from master (1.2.3.4, 5665):

warning/TlsStream: OpenSSL error: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
critical/cli: Peer did not present a valid certificate.

When I use “curl” to connect to the Icinga server, that works:

curl -kv https://1.2.3.4:5665
...
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
...
< HTTP/1.1 401 Unauthorized

So the system itself does have support for a compatible TLS version.

The client is installed per these guidelines. It fetches the icinga2 packages from:

/etc/apt/sources.list.d/xenial-icinga.list:

deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/ubuntu icinga-xenial main
deb-src [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/ubuntu icinga-xenial main

Icinga client version: r2.4.1-1
Icinga server version: r2.13.7-1

It looks like the Icinga client uses an old TLS version, despite the OS being capable of doing TLS v1.2.

What options can I explore to connect to the server?

moreamazingnick · June 20, 2023, 10:21am

Ubuntu 16 is no longer supported, but there is a icinga2 version available that “should” still work in your setup: icinga2-bin_2.12.3-1.xenial_i386.deb

try to find out why you installed icinga 2.4.1-1 instead of 2.12.3

wesselt · June 20, 2023, 11:04am

It turns out the Icinga repository wasn’t trusted, so it pulled the agent from a default source. The command to save the Icinga repository key must have failed without me noticing it.

It’s now connected to the satellite. Thanks for the hint!