Sentinel Certgen error

Cabal · December 6, 2020, 8:47am

Hello

I’ve bought another Omnia.
But there is a problem with sentinel and notifications.
E-mail Notifications does not work, but I think that it is connected with Sentinel Certgen problem.
It cannot get certificate.

Dec  6 09:40:13 turris sentinel: INFO [certgen.action_spec_init:100] Certificate file does not exist or is to be renewed. Re-certifying.
Dec  6 09:40:13 turris sentinel: ERROR [certgen.process_get:206] Get fail: Server responded with message: You hit the rate limit
Dec  6 09:40:13 turris sentinel: ERROR [certgen.start:332] Max tries (3) have been reached, exiting
Dec  6 09:40:20 turris sentinel: INFO [certgen.action_spec_init:100] Certificate file does not exist or is to be renewed. Re-certifying.
Dec  6 09:40:20 turris sentinel: ERROR [certgen.process_get:206] Get fail: Server responded with message: You hit the rate limit
Dec  6 09:40:20 turris sentinel: WARNING [certgen.start:338] Sleeping for 12 seconds before retry (try number 2)
Dec  6 09:40:32 turris sentinel: INFO [certgen.action_spec_init:100] Certificate file does not exist or is to be renewed. Re-certifying.
Dec  6 09:40:32 turris sentinel: ERROR [certgen.process_get:206] Get fail: Server responded with message: You hit the rate limit
Dec  6 09:40:32 turris sentinel: WARNING [certgen.start:338] Sleeping for 12 seconds before retry (try number 3)
Dec  6 09:40:44 turris sentinel: INFO [certgen.action_spec_init:100] Certificate file does not exist or is to be renewed. Re-certifying.
Dec  6 09:40:45 turris sentinel: ERROR [certgen.process_get:206] Get fail: Server responded with message: You hit the rate limit
Dec  6 09:40:45 turris sentinel: ERROR [certgen.start:332] Max tries (3) have been reached, exiting
Dec  6 08:40:45 turris procd: Instance sentinel-proxy::instance1 s in a crash loop 6 crashes, 26 seconds since last crash

In /etc/sentinel there is ca, key and req, but there is no cert.
If I disable sentinel-dynfw-client for few hours (to check how long is the rate-limit), then it starts, says about Re-certifying. And that’s all.
To see the message above router needs to be rebooted.

Ipset is not empty, so firewall works.
Any hints?

Edit: Nikola also looks working

Dec  6 09:45:28 turris sentinel_nikola: Logrotate took 5.102044 seconds
Dec  6 08:45:28 turris crond[8388]: (root) CMDOUT (Logrotate took 5.102044 seconds)
Dec  6 09:45:28 turris sentinel_nikola: Syslog parsing took 0.074779 seconds
Dec  6 08:45:28 turris crond[8388]: (root) CMDOUT (Syslog parsing took 0.074779 seconds)
Dec  6 09:45:28 turris sentinel_nikola: Records parsed: 106
Dec  6 08:45:28 turris crond[8388]: (root) CMDOUT (Records parsed: 106)
Dec  6 09:45:38 turris sentinel_nikola: Sending records took 10.002056 seconds

Cabal · December 8, 2020, 3:13pm

If I’m not rate-limited, then I get messages like this:

Dec  8 16:00:39 turris sentinel: ERROR [certgen.process_get:206] Get fail: Server responded with message: Provided signature is not valid

vojtech.myslivec · December 8, 2020, 11:00pm

Hi,

~~I verified our process for issuing certificates and it works as expected. So there is probably a problem on your router side.~~

~~Please reach us through customer support and include router’s diagnostics. You can mention me in the request and we will solve it there.~~

Update: Can you confirm the S/N of your router starts with 6120xxxxxxx? Is this brand new Omnia referenced as Omnia 2020? There is a possibility of an isue on our end which affects the latest Omnia batch.

Cabal · December 9, 2020, 4:51am

Yes, model and serial match. Do You stil need diagnostics?

Pepe · December 9, 2020, 11:35am

No, in this case, we know where is the culprit and we don’t need diagnostics. We are working on it. We will let you know once it is going to work.

We are sorry for any inconvenience caused by this issue.

vojtech.myslivec · December 18, 2020, 3:43am

Hi @Cabal

It should be fixed now. Can you please check Certgen is able to generate a certificate now? Please wait about an hour if it reports issues about rate limits.

Thanks for let us know

Cabal · December 18, 2020, 5:22am

After reboot it works.
Before reboot mailpass file was created, I got notofication about waiting kernel upgrade (the one that just reinstalls current kernel, there is a topic for that), but there were no certificate in /etc/sentinel.

Dec 18 06:18:11 turris sentinel: INFO [certgen.process_get_response:136] New certificate successfully downloaded.
Dec 18 06:18:11 turris sentinel: INFO [certgen.action_spec_init:89] Valid certificate found

Thanks!