On Thu, 20 Jul 2023 11:25:09 +0200 Guido Berhoerster <gu...@berhoerster.name> wrote: > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) TRUST > FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277 > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) No > suitable server found for '/var/lib/cfengine3/inputs' > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Promise > belongs to bundle 'failsafe_cfe_internal_update' in file > '/var/lib/cfengine3/inputs/failsafe.cf' near line 121 > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Errors > encountered when actuating files promise '/var/lib/cfengine3/inputs' > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: error: ::1> > SSL_write: underlying network error (Broken pipe) > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> > SSL_write: underlying network error (Broken pipe) > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: notice: ::1> > Connection was hung up! > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> > Connection was hung up! > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) TRUST > FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277 > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) No > suitable server found for '/var/lib/cfengine3/modules' > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Promise > belongs to bundle 'failsafe_cfe_internal_update' in file > '/var/lib/cfengine3/inputs/failsafe.cf' near line 130 > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Errors > encountered when actuating files promise '/var/lib/cfengine3/modules' > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: error: ::1> > SSL_write: underlying network error (Broken pipe) > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> > SSL_write: underlying network error (Broken pipe) > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: notice: ::1> > Connection was hung up! > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> > Connection was hung up! > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) TRUST > FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277 > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: error: ::1> > Connection was hung up while receiving line: > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> > Connection was hung up while receiving line: > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: notice: ::1> > Client closed connection early! He probably does not trust our key... > Jul 20 10:35:34 tjener.intern cf-serverd[1168]: CFEngine(server) ::1> > Client closed connection early! He probably does not trust our key... > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) No > suitable server found for '/var/lib/cfengine3/inputs' > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Promise > belongs to bundle 'failsafe_cfe_internal_update' in file > '/var/lib/cfengine3/inputs/failsafe.cf' near line 144 > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Comment is > 'If we failed to fetch policy we try again using > the > legacy default in case we are fetching policy > from a > hub that is not serving mastefiles via a > > shortcut.' > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Errors > encountered when actuating files promise '/var/lib/cfengine3/inputs' > Jul 20 10:35:34 tjener.intern cf-agent[4722]: CFEngine(agent) Method > 'failsafe_cfe_internal_update' failed in some repairs > Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) TRUST > FAILED, server presented untrusted key: MD5=42d62c2c4be843a78dafffb40dd40277 > Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) No > suitable server found for '/var/lib/cfengine3/inputs/cf_promises_validated' > Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) Promise > belongs to bundle 'cfe_internal_update_policy_cpv' in file > '/var/lib/cfengine3/inputs/cfe_internal/update/update_policy.cf' near line 229 > Jul 20 10:35:34 tjener.intern cf-agent[4734]: CFEngine(agent) Comment is > 'Check whether a validation stamp is available for a new policy update to > reduce the distributed load'
The untrusted server key issue can be fixed by following the procedure on manually establishing trust described in https://cfengine.com/blog/2015/securely-deploying-cfengine-on-untrusted-networks/#on-each-client-we-deploy However, checking back on bullseye this error does not show up because cf-execd and other daemons are not running, the init script looks at /etc/default/cfengine3 where by default everything is disabled. So I suppose the solution is to simply not enable the systemd services by default. -- Guido Berhoerster
