Some SMT clients show up to date when they shouldn't

SUSE Product Topics SLES Updates
1

I have a SLES11, sp2 environment, and none of the machines are able to get outside the network. There’s incoming data for their webapp, but otherwise they are locked down.
I need to be able to patch them, so I’ve installed SMT on a Suse box on another VLAN, and setup rules so it can talk to the VLANs that the other machines live in. And this works, to an extent.
I’m able to register the individual VMs with the SMT box, but am unable to get the SMT added on them. I don’t have the SMT server in my dns, so I add the server to my hosts file. My steps are:

  1. Add SMT server to host file using
    echo 192.168.x.x pcipfesmt.x.com pcipfesmt >> /etc/hosts
  2. Download clientSetup4SMT.sh to client box & make it executable
    wget -O /tmp/clientSetup4SMT.sh https://pcipfesmt.x.com/repo/tools/clientSetup4SMT.sh && chmod +x clientSetup4SMT.sh
  3. run clientSetup4SMT.sh
    ./clientsetup4SMT.sh --host pcipfesmt.x.com
    The registration here usually fails, during refreshing service ‘SMT_http_pcipfesmt_x_com’. It says “Download (curl) error for ‘http://pcipfesmt.x.com//repo/repoindex.xml?credentials=NCCcredentials’:
    Error code: Connection failed
    Error message: couldn’t connect to host”
    Retrying doesn’t work, of course, so I abort, am told to file a bug report, am also told that registration was successful, and am taken back to the prompt. The registration shows up on the smt-server, and patch status shows up as unknown or up-to-date. None of the mirrored repositories are added to the client.

I would say that this could be network related, however I’m able to connect to the box from the client to download the cert. Can anyone offer any help?

Thanks

2

I can’t figure out how to edit my original post, but I wanted to add that I’m using new zypp NCCcredentials when I register each box.
rm /etc/zypp/credentials.d/NCCcredentials
rm /var/cache/SuseRegister/lastzmdconfig.cache
Which has allowed me to register cloned machines with NCC in the past.

3

Hi sysengPS,

anything in the logs? Please check both ~root and /var/log (esp. smtclient.log and zypper.log) and if nothing catches the eye, I’d run clientSetup4SMT.sh with “-x” to get some info where curl is invoked and what it’s trying to do.

Regards,
Jens

4

sysengPS sounds like they ‘said’:
[color=blue]

I would say that this could be network related, however I’m able to
connect to the box from the client to download the cert. Can anyone
offer any help?
[/color]
So my response to sysengPS’s comment is…

You try running the command setting https for your SMT box?

…/clientSetup4SMT.sh https://pcipesmt.x.com ?

That’s how I registered my sles servers with my SMT box, but I do have
my SMT box in my local dns.


Stevo

5

This is the latest entry in smtclient.log
2013-09-09 18:05:01: () ERROR: Unable to request next job: 401 Authorization Required-<?xml version="1.0" encoding="ISO-8859-1"?> Authentication required! */–>

Authentication required!

This server could not verify that you are authorized to access the URL “/=/1/jobs/@next”. You either supplied the wrong credentials (e.g., bad password), or your browser doesn’t understand how to supply the credentials required.

In case you are allowed to request the document, please check your user-id and password and try again.

If you think this is a server error, please contact the webmaster.

Error 401

pcipfesmt.x.com
Mon Sep 9 18:04:58 2013
Apache/2.2.12 (Linux/SUSE)

suse_register has the following as it’s latest entry:

2013-09-06 14:00:14 SUSE::SRPrivate - [info] 1b51804f79a84677be79b4058e5a02f9http://pcipfesmt.x.com/SLES11-SP1-VMware-PoolSLES11-SP1-VMware-UpdatesSLES11-SP2-VMware-UpdatesSLES11-SP2-VMware-CoreSLES11-SP2-Extension-StoreOk.

I’m probably missing something obvious here, but :(.

./clientSetup4SMT.sh -x
Unknown option -x

6

./clientSetup4SMT.sh https://pcipfesmt.x.com

I get the cert and accept it. I start the registration process, and same error.

7

Hi sysengPS,

[QUOTE=sysengPS;16179]This is the latest entry in smtclient.log
2013-09-09 18:05:01: () ERROR: Unable to request next job: 401 Authorization Required-<?xml version="1.0" encoding="ISO-8859-1"?> Authentication required! <=!=[=C=D=A=T=A=[/*>

Authentication required!

This server could not verify that you are authorized to access the URL “/=/1/jobs/@next”. You either supplied the wrong credentials (e.g., bad password), or your browser doesn’t understand how to supply the credentials required.

In case you are allowed to request the document, please check your user-id and password and try again.

If you think this is a server error, please contact the webmaster.

Error 401

pcipfesmt.x.com
Mon Sep 9 18:04:58 2013
Apache/2.2.12 (Linux/SUSE) [/QUOTE]

So for some reason, your SMT server is rejecting the credentials that are presented by the client. Maybe more details (and even if it’s “wrong credentials”, as opposed to “configuration problem at the server” or “database down” or alike) can be found in the server’s Apache logs.

[QUOTE=sysengPS;16179]./clientSetup4SMT.sh -x
Unknown option -x[/QUOTE]

While it doesn’t currently seem important in your specific case, I meant to set the shell’s tracing feature - so either “set -x;./clientSetup4SMT.sh;set +x” or more easy “bash -x ./clientSetup4SMT.sh”

With regards,
Jens

8

This is on a different client:

[CODE]set -x;./clientSetup4SMT.sh --host pcipfesmt.X.com;set +x

  • ./clientSetup4SMT.sh --host pcipfesmt.X.com
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    a5:2e:6d:d2:cb:ff:b9:bc
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, CN=YaST_Default_CA/emailAddress=syseng@X.com
    Validity
    Not Before: Sep 6 15:16:46 2013 GMT
    Not After : Sep 4 15:16:46 2023 GMT
    Subject: C=US, CN=YaST_Default_CA/emailAddress=syseng@X.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
    Modulus (2048 bit):
    00:cb:f8:02:5d:46:c0:86:f3:4b:f6:3c:f5:64:d6:
    28:d7:e1:ec:6e:10:b1:dd:eb:95:ed:d3:40:80:96:
    ed:e9:ad:b8:1e:94:8d:cd:c7:a1:3e:6b:32:6d:a2:
    2e:bb:1b:6e:b5:9c:83:6a:5f:8c:89:2c:a2:0e:cd:
    6d:b7:fe:c7:02:6e:a7:de:61:ac:d2:ef:5e:ef:84:
    af:24:67:77:3f:e3:96:3c:a3:e9:b5:09:a8:b1:9d:
    84:bf:ac:e1:61:9b:fa:d0:80:21:e2:e7:5e:41:ac:
    26:e8:c3:d4:bf:43:ac:00:80:d1:47:dd:46:ed:e6:
    a4:ce:6c:92:8f:ee:82:26:6b:24:23:05:24:39:58:
    ca:40:6f:18:68:88:76:c5:29:20:09:c7:e1:00:40:
    50:d8:8a:14:88:37:31:66:ae:2c:80:07:22:d6:b8:
    67:a3:80:42:d6:02:88:7e:be:bd:e3:7d:54:c8:cd:
    3c:9d:8f:90:02:37:18:65:a6:8d:bc:61:e5:dc:f9:
    e2:22:15:82:e7:1f:fe:b9:8e:a3:d8:d0:65:7e:1b:
    00:e5:c6:62:7d:3b:04:0c:ed:cd:a4:56:fb:c2:27:
    0f:bd:fd:db:7b:c3:91:ac:69:80:66:bf:4f:97:ab:
    bd:c4:3a:7b:7e:71:b6:0a:b8:90:37:ee:82:c9:ec:
    76:95
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Basic Constraints: critical
    CA:TRUE
    Netscape Comment:
    YaST Generated CA Certificate
    Netscape Cert Type:
    SSL CA, S/MIME CA
    X509v3 Key Usage:
    Certificate Sign, CRL Sign
    X509v3 Subject Key Identifier:
    6E:F0:89:5F:6A:D6:BD:0B:55:30:3E:FE:A3:98:BE:01:D7:F4:A2:95
    X509v3 Authority Key Identifier:
    keyid:6E:F0:89:5F:6A:D6:BD:0B:55:30:3E:FE:A3:98:BE:01:D7:F4:A2:95
    DirName:/C=US/CN=YaST_Default_CA/emailAddress=syseng@X.com
    serial:A5:2E:6D:D2:CB:FF:B9:BC

          X509v3 Subject Alternative Name: 
          email:syseng@X.com, IP Address:192.168.193.35
      X509v3 Issuer Alternative Name: 
          email:syseng@X.com, IP Address:192.168.193.35

    Signature Algorithm: sha1WithRSAEncryption
    40:bf:f7:e3:ca:2a:85:ad:68:da:7e:0d:04:3a:14:db:8b:5a:
    d9:fb:b9:25:21:e8:dc:39:5d:77:6f:36:c0:3a:46:f5:f9:a4:
    59:8e:05:bb:e3:6b:99:2b:56:e6:82:8a:da:70:16:1c:3e:e6:
    09:c2:30:e2:8c:05:69:4b:9e:e1:93:0b:e1:1a:47:14:72:85:
    23:2f:cb:69:8b:f1:6a:29:3f:5d:c9:ae:37:c0:7f:b6:c1:37:
    6b:32:ba:26:27:7e:fe:c8:ee:37:e6:a3:86:46:07:af:7b:f1:
    3f:62:c0:78:7a:cd:36:59:02:f0:87:06:1d:8f:ed:1b:02:a0:
    e3:4e:dd:a8:a9:ef:62:17:04:b7:51:50:e4:63:eb:eb:32:8d:
    3f:97:17:28:5c:45:8d:73:ed:c5:45:1a:e6:3a:6e:69:0f:6b:
    5d:84:2d:57:ec:87:88:a5:7b:8a:1e:94:c1:12:77:bb:46:aa:
    f9:49:d7:7d:e2:22:b2:02:68:b9:ac:0b:b9:c9:c1:f8:e3:b4:
    27:5f:a5:c9:cc:56:ce:87:eb:dd:36:b4:2b:97:ab:18:a9:32:
    22:fc:a1:9c:11:7e:8b:f6:f3:81:48:8d:2e:fa:6a:51:4a:5d:
    c3:2f:90:ac:6d:1a:1b:68:a0:e5:d9:c6:44:a1:d7:ea:fc:7e:
    39:02:25:85
    Do you accept this certificate? [y/n] y
    Client setup finished.
    Start the registration now? [y/n] y
    /usr/bin/suse_register -i -L /root/.suse_register.log
    Refreshing service ‘SMT-http_pcipfesmt_X_com’.
    Download (curl) error for ‘http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials’:
    Error code: Connection failed
    Error message: couldn’t connect to host

Abort, retry, ignore? [a/r/i/?] (a):
Unexpected exception.
[|] Error trying to read from ‘http://pcipfesmt.X.com/?credentials=NCCcredentials
History:

Please file a bug report about this.
See http://en.opensuse.org/Zypper/Troubleshooting for instructions.
Refreshing service ‘SMT-http_pcipfesmt_X_com’.
Download (curl) error for ‘http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials’:
Error code: Connection failed
Error message: couldn’t connect to host

Abort, retry, ignore? [a/r/i/?] (a):
Unexpected exception.
[|] Error trying to read from ‘http://pcipfesmt.X.com/?credentials=NCCcredentials
History:

Please file a bug report about this.
See http://en.opensuse.org/Zypper/Troubleshooting for instructions.
Registration finished successfully

  • set +x[/CODE]

It shows up on the smt server as unknown. When I run smt-agent on the client, the client shows up on the server as up-to-date.

Latest on smtclient.log

2013-09-10 09:00:38: (14) running job 14 2013-09-10 09:00:38: () jobid: 14 2013-09-10 09:00:38: (14) got jobid "14" with jobtype "patchstatus" 2013-09-10 09:00:38: () successfully loaded handler for jobtype "patchstatus" 2013-09-10 09:00:38: (14) jobhandler for patchstatus called 2013-09-10 09:00:38: (14) patchstatus runs jobid "14" 2013-09-10 09:00:41: (14) job 14 message: 0:0:0:0 # PackageManager=0 Security=0 Recommended=0 (Bugfix=0) Optional=0 (Enhancement=0 Feature=0 Document=0 Other=0) 2013-09-10 09:00:41: (14) job 14 exitcode: 0 2013-09-10 09:00:41: (14) job 14 statuscode: true 2013-09-10 09:00:41: (14) updating job 14 (1) message: 0:0:0:0 # PackageManager=0 Security=0 Recommended=0 (Bugfix=0) Optional=0 (Enhancement=0 Feature=0 Document=0 Other=0) 2013-09-10 09:00:41: () successfully updated job 14 2013-09-10 09:00:41: () job 14 finished successfully, see job message for details 2013-09-10 09:00:45: () no jobs left. exit.

And on the smt-server, in access_log:

source IP address - - [10/Sep/2013:09:00:30 - 0400] "GET /repo/tools/smt-client.x86_64.rpm HTTP/1.1" 200 27162 source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/@next HTTP/1.1" 200 154 source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/14 HTTP/1.1" 200 154 source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/14 HTTP/1.1" 200 2 source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/@next HTTP/1.1" 200 7 source IP address - - [10/Sep/2013:09:05:00 - 0400] "GET /repo/tools/smt-client.x86_64.rpm HTTP/1.1" 401 1275

Nothing shows up in error_log

smt-register shows registration success for the above code.

Thanks for helping with this.

9

Has anyone seen this problem before?

10

Hi sysengPS,

if it’s not the server, might you have a DNS or network problem? Have you tried accessing that URL from that machine manually, i.e. via wget, to see if the connection basically works and to have a controlled test case?

Regards,
Jens

11

Just saw this thread and wanted to (finally) update. It was a firewall rule blocking port 80 I think. Thanks for the help.

12

Hi sysengPS,

cleaning up the old year, ey? :wink:

Thank you for giving that final info - and a happy new year to you!

Regards,
Jens