[BUG] [3007] Salt-master doesn't start when ssl is enabled #66577
Comments
|
Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. |
|
We upgraded to 3007.1 and had to comment out the configuration to get the masters to start and this is a problem for us, so we'll be rolling back. |
|
You can workaround the above error by only specifying ssl settings for an ssl approved transport (tcp or websocket). Zeromq doesn't use ssl (as far as I'm aware). If you're only using zeromq then I'm pretty sure the ssl config is not doing anything. transport_opts:
tcp:
ssl:
keyfile: /etc/salt/pki/wildcard.key
certfile: /etc/salt/pki/wildcard.crt
ssl_version: PROTOCOL_TLSv1_2However, that just creates a new error... Turns out context.protocol is a read only attribute. Was SSL even tested? How does /that/ even happen? I commented out that line, which just causes ssl to use the default protocol, which is fine in 99% of cases. And guess what, I get another error. Ok fine. I didn't define transport_opts:
tcp:
ssl:
keyfile: /etc/salt/pki/wildcard.key
certfile: /etc/salt/pki/wildcard.crt
cert_reqs: CERT_REQUIREDIt'll work this time, right? No... It seems at this point in the code "cert_req" has already been translated to the --- base.py.orig 2024-07-25 15:14:49.660670232 -0400
+++ base.py 2024-07-25 15:23:29.345236633 -0400
@@ -451,17 +451,17 @@
# Use create_default_context to start with what Python considers resonably
# secure settings.
context = ssl.create_default_context(purpose)
- context.protocol = ssl_options.get("ssl_version", default_version)
+ #context.protocol = ssl_options.get("ssl_version", default_version)
if "certfile" in ssl_options:
context.load_cert_chain(
ssl_options["certfile"], ssl_options.get("keyfile", None)
)
if "cert_reqs" in ssl_options:
- if ssl_options["cert_reqs"].upper() == "CERT_NONE":
+ if ssl_options["cert_reqs"] == ssl.VerifyMode.CERT_NONE:
# This may have been set automatically by PROTOCOL_TLS_CLIENT but is
# incompatible with CERT_NONE so we must manually clear it.
context.check_hostname = False
- context.verify_mode = getattr(ssl.VerifyMode, ssl_options["cert_reqs"])
+ context.verify_mode = ssl_options["cert_reqs"]
if "ca_certs" in ssl_options:
context.load_verify_locations(ssl_options["ca_certs"])
if "verify_locations" in ssl_options:
And then finally, as if all my troubles should be rewarded, I get spammed with some PubClient messages. Maybe they don't mean anything, but they didn't happen in 3006.x. |
Description
Salt-master doesn't start when ssl is enabled.
I'm using default configuration file with lines 483-486 uncommented. I've tested multiple certificates, self signed ones and also generated using Lets Encrypt.
When starting service with such configuration I'm getting below error:
I've tested same configuration with salt 3006.8 and it just worked.
Setup
New Centos 9 VM with salt-master 3007 installed (onedir installation) and SSL enabled.
Steps to Reproduce the behavior
Basic Centos 9 Stream VM with salt-master 3007 installed.
Expected behavior
salt-master should just work.
Versions Report
salt --versions-report
The text was updated successfully, but these errors were encountered: