Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Some SMT clients show up to date when they shouldn't

Hybrid View

  1. #1

    Some SMT clients show up to date when they shouldn't

    I have a SLES11, sp2 environment, and none of the machines are able to get outside the network. There's incoming data for their webapp, but otherwise they are locked down.
    I need to be able to patch them, so I've installed SMT on a Suse box on another VLAN, and setup rules so it can talk to the VLANs that the other machines live in. And this works, to an extent.
    I'm able to register the individual VMs with the SMT box, but am unable to get the SMT added on them. I don't have the SMT server in my dns, so I add the server to my hosts file. My steps are:
    1. Add SMT server to host file using
    echo 192.168.x.x pcipfesmt.x.com pcipfesmt >> /etc/hosts
    2. Download clientSetup4SMT.sh to client box & make it executable
    wget -O /tmp/clientSetup4SMT.sh https://pcipfesmt.x.com/repo/tools/clientSetup4SMT.sh && chmod +x clientSetup4SMT.sh
    3. run clientSetup4SMT.sh
    ./clientsetup4SMT.sh --host pcipfesmt.x.com
    The registration here usually fails, during refreshing service 'SMT_http_pcipfesmt_x_com'. It says "Download (curl) error for 'http://pcipfesmt.x.com//repo/repoindex.xml?credentials=NCCcredentials':
    Error code: Connection failed
    Error message: couldn't connect to host"
    Retrying doesn't work, of course, so I abort, am told to file a bug report, am also told that registration was successful, and am taken back to the prompt. The registration shows up on the smt-server, and patch status shows up as unknown or up-to-date. None of the mirrored repositories are added to the client.

    I would say that this could be network related, however I'm able to connect to the box from the client to download the cert. Can anyone offer any help?

    Thanks

  2. #2

    Re: Some SMT clients show up to date when they shouldn't

    I can't figure out how to edit my original post, but I wanted to add that I'm using new zypp NCCcredentials when I register each box.
    rm /etc/zypp/credentials.d/NCCcredentials
    rm /var/cache/SuseRegister/lastzmdconfig.cache
    Which has allowed me to register cloned machines with NCC in the past.

  3. Re: Some SMT clients show up to date when they shouldn't

    Hi sysengPS,

    anything in the logs? Please check both ~root and /var/log (esp. smtclient.log and zypper.log) and if nothing catches the eye, I'd run clientSetup4SMT.sh with "-x" to get some info where curl is invoked and what it's trying to do.

    Regards,
    Jens
    From the times when today's "old school" was "new school"

    If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...

  4. #4

    Re: Some SMT clients show up to date when they shouldn't

    This is the latest entry in smtclient.log
    2013-09-09 18:05:01: () ERROR: Unable to request next job: 401 Authorization Required-<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <title>Authentication required!</title> <link rev="made" href="mailto:root@PCIPFESMT" /> <style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;} /*]]>*/--></style> </head> <body> <h1>Authentication required!</h1> <p> This server could not verify that you are authorized to access the URL "/=/1/jobs/@next". You either supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. </p> <p> In case you are allowed to request the document, please check your user-id and password and try again. </p> <p> If you think this is a server error, please contact the <a href="mailto:root@PCIPFESMT">webmaster</a>. </p> <h2>Error 401</h2> <address> <a href="/">pcipfesmt.x.com</a><br /> <span>Mon Sep 9 18:04:58 2013<br /> Apache/2.2.12 (Linux/SUSE)</span> </address> </body> </html>

    suse_register has the following as it's latest entry:

    2013-09-06 14:00:14 SUSE::SRPrivate - [info] <zmdconfig xmlns="http://www.novell.com/xml/center/regsvc-1_0" lang="en"><guid>1b51804f79a84677be79b4058e5a02f9</guid><service id="SMT-pcipfesmt_x_xom" description="Local NU Server" type="nu"><param id="url">http://pcipfesmt.x.com/</param><param name="catalog" url="http://pcipfesmt.x.com/repo/$RCE/SLES11-SP1-VMware-Pool/sle-11-x86_64">SLES11-SP1-VMware-Pool</param><param name="catalog" url="http://pcipfesmt.x.com/repo/$RCE/SLES11-SP1-VMware-Updates/sle-11-x86_64">SLES11-SP1-VMware-Updates</param><param name="catalog" url="http://pcipfesmt.x.com/repo/$RCE/SLES11-SP2-VMware-Updates/sle-11-x86_64">SLES11-SP2-VMware-Updates</param><param name="catalog" url="http://pcipfesmt.x.com/repo/$RCE/SLES11-SP2-VMware-Core/sle-11-x86_64">SLES11-SP2-VMware-Core</param><param name="catalog" url="http://pcipfesmt.x.com/repo/$RCE/SLES11-SP2-Extension-Store/sle-11-x86_64">SLES11-SP2-Extension-Store</param></service><status generated="1378490412"><productstatus product="SLES-for-VMware" version="11.2" release="" arch="" result="success" errorcode="OK"><message>Ok.</message></productstatus></status></zmdconfig>

    I'm probably missing something obvious here, but .

    ./clientSetup4SMT.sh -x
    Unknown option -x

  5. Re: Some SMT clients show up to date when they shouldn't

    Hi sysengPS,
    Quote Originally Posted by sysengPS View Post
    This is the latest entry in smtclient.log
    2013-09-09 18:05:01: () ERROR: Unable to request next job: 401 Authorization Required-<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <title>Authentication required!</title> <link rev="made" href="mailto:root@PCIPFESMT" /> <style type="text/css"><!--/*--><=!=[=C=D=A=T=A=[/*><!--*/ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;} /*]=]=>*/--></style> </head> <body> <h1>Authentication required!</h1> <p> This server could not verify that you are authorized to access the URL "/=/1/jobs/@next". You either supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. </p> <p> In case you are allowed to request the document, please check your user-id and password and try again. </p> <p> If you think this is a server error, please contact the <a href="mailto:root@PCIPFESMT">webmaster</a>. </p> <h2>Error 401</h2> <address> <a href="/">pcipfesmt.x.com</a><br /> <span>Mon Sep 9 18:04:58 2013<br /> Apache/2.2.12 (Linux/SUSE)</span> </address> </body> </html>
    So for some reason, your SMT server is rejecting the credentials that are presented by the client. Maybe more details (and even if it's "wrong credentials", as opposed to "configuration problem at the server" or "database down" or alike) can be found in the server's Apache logs.

    Quote Originally Posted by sysengPS View Post
    ./clientSetup4SMT.sh -x
    Unknown option -x
    While it doesn't currently seem important in your specific case, I meant to set the shell's tracing feature - so either "set -x;./clientSetup4SMT.sh;set +x" or more easy "bash -x ./clientSetup4SMT.sh"

    With regards,
    Jens
    From the times when today's "old school" was "new school"

    If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...

  6. #6

    Re: Some SMT clients show up to date when they shouldn't

    This is on a different client:

    Code:
    set -x;./clientSetup4SMT.sh --host pcipfesmt.X.com;set +x
    + ./clientSetup4SMT.sh --host pcipfesmt.X.com
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                a5:2e:6d:d2:cb:ff:b9:bc
            Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=US, CN=YaST_Default_CA/emailAddress=syseng@X.com
            Validity
                Not Before: Sep  6 15:16:46 2013 GMT
                Not After : Sep  4 15:16:46 2023 GMT
            Subject: C=US, CN=YaST_Default_CA/emailAddress=syseng@X.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (2048 bit)
                    Modulus (2048 bit):
                        00:cb:f8:02:5d:46:c0:86:f3:4b:f6:3c:f5:64:d6:
                        28:d7:e1:ec:6e:10:b1:dd:eb:95:ed:d3:40:80:96:
                        ed:e9:ad:b8:1e:94:8d:cd:c7:a1:3e:6b:32:6d:a2:
                        2e:bb:1b:6e:b5:9c:83:6a:5f:8c:89:2c:a2:0e:cd:
                        6d:b7:fe:c7:02:6e:a7:de:61:ac:d2:ef:5e:ef:84:
                        af:24:67:77:3f:e3:96:3c:a3:e9:b5:09:a8:b1:9d:
                        84:bf:ac:e1:61:9b:fa:d0:80:21:e2:e7:5e:41:ac:
                        26:e8:c3:d4:bf:43:ac:00:80:d1:47:dd:46:ed:e6:
                        a4:ce:6c:92:8f:ee:82:26:6b:24:23:05:24:39:58:
                        ca:40:6f:18:68:88:76:c5:29:20:09:c7:e1:00:40:
                        50:d8:8a:14:88:37:31:66:ae:2c:80:07:22:d6:b8:
                        67:a3:80:42:d6:02:88:7e:be:bd:e3:7d:54:c8:cd:
                        3c:9d:8f:90:02:37:18:65:a6:8d:bc:61:e5:dc:f9:
                        e2:22:15:82:e7:1f:fe:b9:8e:a3:d8:d0:65:7e:1b:
                        00:e5:c6:62:7d:3b:04:0c:ed:cd:a4:56:fb:c2:27:
                        0f:bd:fd:db:7b:c3:91:ac:69:80:66:bf:4f:97:ab:
                        bd:c4:3a:7b:7e:71:b6:0a:b8:90:37:ee:82:c9:ec:
                        76:95
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:TRUE
                Netscape Comment: 
                    YaST Generated CA Certificate
                Netscape Cert Type: 
                    SSL CA, S/MIME CA
                X509v3 Key Usage: 
                    Certificate Sign, CRL Sign
                X509v3 Subject Key Identifier: 
                    6E:F0:89:5F:6A:D6:BD:0B:55:30:3E:FE:A3:98:BE:01:D7:F4:A2:95
                X509v3 Authority Key Identifier: 
                    keyid:6E:F0:89:5F:6A:D6:BD:0B:55:30:3E:FE:A3:98:BE:01:D7:F4:A2:95
                    DirName:/C=US/CN=YaST_Default_CA/emailAddress=syseng@X.com
                    serial:A5:2E:6D:D2:CB:FF:B9:BC
    
                X509v3 Subject Alternative Name: 
                    email:syseng@X.com, IP Address:192.168.193.35
                X509v3 Issuer Alternative Name: 
                    email:syseng@X.com, IP Address:192.168.193.35
        Signature Algorithm: sha1WithRSAEncryption
            40:bf:f7:e3:ca:2a:85:ad:68:da:7e:0d:04:3a:14:db:8b:5a:
            d9:fb:b9:25:21:e8:dc:39:5d:77:6f:36:c0:3a:46:f5:f9:a4:
            59:8e:05:bb:e3:6b:99:2b:56:e6:82:8a:da:70:16:1c:3e:e6:
            09:c2:30:e2:8c:05:69:4b:9e:e1:93:0b:e1:1a:47:14:72:85:
            23:2f:cb:69:8b:f1:6a:29:3f:5d:c9:ae:37:c0:7f:b6:c1:37:
            6b:32:ba:26:27:7e:fe:c8:ee:37:e6:a3:86:46:07:af:7b:f1:
            3f:62:c0:78:7a:cd:36:59:02:f0:87:06:1d:8f:ed:1b:02:a0:
            e3:4e:dd:a8:a9:ef:62:17:04:b7:51:50:e4:63:eb:eb:32:8d:
            3f:97:17:28:5c:45:8d:73:ed:c5:45:1a:e6:3a:6e:69:0f:6b:
            5d:84:2d:57:ec:87:88:a5:7b:8a:1e:94:c1:12:77:bb:46:aa:
            f9:49:d7:7d:e2:22:b2:02:68:b9:ac:0b:b9:c9:c1:f8:e3:b4:
            27:5f:a5:c9:cc:56:ce:87:eb:dd:36:b4:2b:97:ab:18:a9:32:
            22:fc:a1:9c:11:7e:8b:f6:f3:81:48:8d:2e:fa:6a:51:4a:5d:
            c3:2f:90:ac:6d:1a:1b:68:a0:e5:d9:c6:44:a1:d7:ea:fc:7e:
            39:02:25:85
    Do you accept this certificate? [y/n] y
    Client setup finished.
    Start the registration now? [y/n] y
    /usr/bin/suse_register -i -L /root/.suse_register.log
    Refreshing service 'SMT-http_pcipfesmt_X_com'.
    Download (curl) error for 'http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials':
    Error code: Connection failed
    Error message: couldn't connect to host
    
    Abort, retry, ignore? [a/r/i/?] (a): 
    Unexpected exception.
    [|] Error trying to read from 'http://pcipfesmt.X.com/?credentials=NCCcredentials'
    History:
     - Download (curl) error for 'http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials':
    Error code: Connection failed
    Error message: couldn't connect to host
    
    
    Please file a bug report about this.
    See http://en.opensuse.org/Zypper/Troubleshooting for instructions.
    Refreshing service 'SMT-http_pcipfesmt_X_com'.
    Download (curl) error for 'http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials':
    Error code: Connection failed
    Error message: couldn't connect to host
    
    Abort, retry, ignore? [a/r/i/?] (a): 
    Unexpected exception.
    [|] Error trying to read from 'http://pcipfesmt.X.com/?credentials=NCCcredentials'
    History:
     - Download (curl) error for 'http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials':
    Error code: Connection failed
    Error message: couldn't connect to host
    
    
    Please file a bug report about this.
    See http://en.opensuse.org/Zypper/Troubleshooting for instructions.
    Registration finished successfully
    + set +x
    It shows up on the smt server as unknown. When I run smt-agent on the client, the client shows up on the server as up-to-date.

    Latest on smtclient.log

    Code:
    2013-09-10 09:00:38: (14) running job 14
    2013-09-10 09:00:38: () jobid: 14
    2013-09-10 09:00:38: (14) got jobid "14" with jobtype "patchstatus"
    2013-09-10 09:00:38: () successfully loaded handler for jobtype "patchstatus"
    2013-09-10 09:00:38: (14) jobhandler for patchstatus called
    2013-09-10 09:00:38: (14) patchstatus runs jobid "14"
    2013-09-10 09:00:41: (14) job 14 message: 0:0:0:0 # PackageManager=0 Security=0 Recommended=0 (Bugfix=0) Optional=0 (Enhancement=0 Feature=0 Document=0 Other=0)
    2013-09-10 09:00:41: (14) job 14 exitcode: 0
    2013-09-10 09:00:41: (14) job 14 statuscode: true
    2013-09-10 09:00:41: (14) updating job 14 (1) message: 0:0:0:0 # PackageManager=0 Security=0 Recommended=0 (Bugfix=0) Optional=0 (Enhancement=0 Feature=0 Document=0 Other=0)
    2013-09-10 09:00:41: () successfully updated job 14
    2013-09-10 09:00:41: () job 14 finished successfully, see job message for details
    2013-09-10 09:00:45: () no jobs left. exit.

    And on the smt-server, in access_log:
    Code:
    source IP address - - [10/Sep/2013:09:00:30 - 0400] "GET /repo/tools/smt-client.x86_64.rpm HTTP/1.1" 200 27162
    source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/@next HTTP/1.1" 200 154
    source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/14 HTTP/1.1" 200 154
    source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/14 HTTP/1.1" 200 2
    source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/@next HTTP/1.1" 200 7
    source IP address - - [10/Sep/2013:09:05:00 - 0400] "GET /repo/tools/smt-client.x86_64.rpm HTTP/1.1" 401 1275
    Nothing shows up in error_log

    smt-register shows registration success for the above code.

    Thanks for helping with this.

  7. #7

    Re: Some SMT clients show up to date when they shouldn't

    Has anyone seen this problem before?

  8. Re: Some SMT clients show up to date when they shouldn't

    Hi sysengPS,

    Download (curl) error for 'http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials': Error code: Connection failed Error message: couldn't connect to host
    if it's not the server, might you have a DNS or network problem? Have you tried accessing that URL from that machine manually, i.e. via wget, to see if the connection basically works and to have a controlled test case?

    Regards,
    Jens
    From the times when today's "old school" was "new school"

    If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...

  9. #9

    Re: Some SMT clients show up to date when they shouldn't

    Just saw this thread and wanted to (finally) update. It was a firewall rule blocking port 80 I think. Thanks for the help.

  10. Re: Some SMT clients show up to date when they shouldn't

    Hi sysengPS,

    cleaning up the old year, ey?

    Thank you for giving that final info - and a happy new year to you!

    Regards,
    Jens
    From the times when today's "old school" was "new school"

    If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •