You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kudu.apache.org by "Todd Lipcon (JIRA)" <ji...@apache.org> on 2017/10/12 21:04:00 UTC

[jira] [Updated] (KUDU-1876) Poor error messages and behavior when webserver TLS is misconfigured

     [ https://issues.apache.org/jira/browse/KUDU-1876?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Todd Lipcon updated KUDU-1876:
------------------------------
    Labels: newbie  (was: )

> Poor error messages and behavior when webserver TLS is misconfigured
> --------------------------------------------------------------------
>
>                 Key: KUDU-1876
>                 URL: https://issues.apache.org/jira/browse/KUDU-1876
>             Project: Kudu
>          Issue Type: Bug
>          Components: security, supportability
>    Affects Versions: 1.3.0
>            Reporter: Adar Dembo
>              Labels: newbie
>
> I was playing around with Cloudera Manager's upcoming webserver TLS support and found a couple cases where misconfigurations led to confusing error messages and other weird behavior. I focused on *webserver_private_key_file*, *webserver_certificate_file*, and *webserver_private_key_password_cmd*.
> *webserver_private_key_file* is unset, but *webserver_certificate_file* and *webserver_private_key_password_cmd* are set: the server crashes (good) but with a fairly inscrutable error message:
> {noformat}
> I0213 18:49:50.606950  2265 webserver.cc:144] Webserver: Enabling HTTPS support
> I0213 18:49:50.607322  2265 webserver.cc:293] Webserver: set_ssl_option: cannot open /etc/adar_kudu_tls/cert.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line
> W0213 18:49:50.607375  2265 net_util.cc:293] Failed to bind to 0.0.0.0:8051. Trying to use lsof to find any processes listening on the same port:
> I0213 18:49:50.607393  2265 net_util.cc:296] $ export PATH=$PATH:/usr/sbin ; lsof -n -i 'TCP:8051' -sTCP:LISTEN ; for pid in $(lsof -F p -n -i 'TCP:8051' -sTCP:LISTEN | grep p | cut -f 2 -dp) ; do  while [ $pid -gt 1 ] ; do    ps h -fp $pid ;    stat=($(</proc/$pid/stat)) ;    pid=${stat[3]} ;  done ; done
> W0213 18:49:50.632638  2265 net_util.cc:303] 
> F0213 18:49:50.632704  2265 master_main.cc:71] Check failed: _s.ok() Bad status: Network error: Webserver: Could not start on address 0.0.0.0:8051
> {noformat}
> *webserver_private_key_file*, *webserver_certificate_file*, and *webserver_private_key_password_cmd* are all set, but the password command script yields the wrong password: the server crashes (good) but the error message is inscrutable: 
> {noformat}
> I0213 18:35:34.581714 32633 webserver.cc:293] Webserver: set_ssl_option: cannot open /etc/adar_kudu_tls/cert.pem: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
> W0213 18:35:34.581794 32633 net_util.cc:293] Failed to bind to 0.0.0.0:8051. Trying to use lsof to find any processes listening on the same port:
> I0213 18:35:34.581811 32633 net_util.cc:296] $ export PATH=$PATH:/usr/sbin ; lsof -n -i 'TCP:8051' -sTCP:LISTEN ; for pid in $(lsof -F p -n -i 'TCP:8051' -sTCP:LISTEN | grep p | cut -f 2 -dp) ; do  while [ $pid -gt 1 ] ; do    ps h -fp $pid ;    stat=($(</proc/$pid/stat)) ;    pid=${stat[3]} ;  done ; done
> W0213 18:35:34.605216 32633 net_util.cc:303] 
> F0213 18:35:34.605254 32633 master_main.cc:71] Check failed: _s.ok() Bad status: Network error: Webserver: Could not start on address 0.0.0.0:8051
> {noformat}
> *webserver_private_key_file* and *webserver_private_key_password_cmd* are set, but *webserver_certificate_file* is not: the server starts up (probably bad?) and any attempt to access the webui on the https port yields a "This site can’t provide a secure connection" message in the browser with ERR_SSL_PROTOCOL_ERROR as the error code. I only tested with Chromium.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)