[Csync2] Making SSL errors more helpful
Tim Owens
Tim at dataview.co.nz
Wed Aug 26 01:54:53 CEST 2009
I have spent several days on this, and having succeeded, I thought I'd
record the events to save other less fortunate mortals.
We have three webservers, with the web root synchronised with csync2. We
added a fourth, and tried to add it to the synchronisation group. I just
got the error: "Establishing SSL connection failed", at both ends. Even
running csync2 through strace didn't shed any light on it.
I applied the patch supplied by Ben Klang, to display the actual error
from the GNUTLS library:
http://lists.linbit.com/pipermail/csync2/attachments/20061008/9e8b1dd3/c
sync2-conn-SSL-verbose-error.bin
This then produced the error: "The cipher type is unsupported." (as it
did for Mr Klang!)
Andreas Koenig gave a cryptic reply to that email, stating that he
created his certificates with the maximum expiration date.
After much coffee, realisation dawned. I deleted the old certificates
from the original servers, and recreated them according to the Csync2
paper. I also deleted them from all the csync2 databases:
# sqlite /var/lib/csync2/*
SQLite version 2.8.17
Enter ".help" for instructions
sqlite> DELETE FROM x509_cert;
sqlite> .exit
and restarted csync2 on all servers. All appears to be happy. I suspect
it continues to trust an expired certificate already in the database,
but not an unknown one.
Would be nice if both csync2 and GNUTLS were more descriptive in their
errors!
Tim
More information about the Csync2
mailing list