Ucollect failing talking to api.turris.cz port 5679

tonyquan · September 6, 2019, 6:36am

getting errors from ucollect, is api.turris.cz functioning properly?

2019-09-05 23:32:53 info ucollect[24325]: Reconnecting to api.turris.cz:5679 now
2019-09-05 23:32:53 info ucollect[24325]: Socat started
2019-09-05 23:32:53 err ucollect[24325]: Error from socat: 2019/09/05 23:32:53 socat[24863] E SSL_connect(): error:14090086:lib(20):func(144):reason(134)
2019-09-05 23:32:53 warning ucollect[24325]: Remote closed the uplink api.turris.cz:5679, reconnecting
2019-09-05 23:32:53 warning ucollect[24325]: epoll_wait on 4 interrupted, retry

tonyquan · September 7, 2019, 5:23pm

no one else seeing this? filing report with tech support

DIKKEHENK · September 7, 2019, 7:58pm

just checked, works here on TO ?

anon50890781 · September 8, 2019, 10:46am

Might have been a temporary connectivity issue. Tested just now from this end and all came out ok, e.g.

openssl s_client -connect api.turris.cz:5679
gnutls-cli -V api.turris.cz:5679
ncat --ssl -v api.turris.cz 5679

Jenda · September 8, 2019, 12:10pm

I have the same issue with automatic backup to cloud. I created the topic in czech part -
https://forum.test.turris.cz/t/nefunkcni-automaticka-zaloha-do-cloudu-ucollect/10961

JardaB · September 8, 2019, 12:11pm

BusyBox v1.29.3 () built-in shell (ash)

  _______  _    _  _____   _____   _____   _____
 |__   __|| |  | ||  __ \ |  __ \ |_   _| / ____|
    | |   | |  | || |__) || |__) |  | |  | (___
    | |   | |  | ||  _  / |  _  /   | |   \___ \
    | |   | |__| || | \ \ | | \ \  _| |_  ____) |
    |_|    \____/ |_|  \_\|_|  \_\|_____||_____/



root@turris:~# openssl s_client -connect api.turris.cz:5679
CONNECTED(00000003)
depth=1 C = CZ, ST = Czech republic, L = Prague, O = CZ.NIC, OU = Labs, emailAddress = michal.vaner@nic.cz
verify error:num=19:self signed certificate in certificate chain
3069396004:error:140790E5:lib(20):func(121):reason(229):NA:0:
---
Certificate chain
 0 s:/C=CZ/ST=Czech republic/L=Prague/O=CZ.NIC/OU=Labs/CN=api.turris.cz/emailAddress=michal.vaner@nic.cz
   i:/C=CZ/ST=Czech republic/L=Prague/O=CZ.NIC/OU=Labs/emailAddress=michal.vaner@nic.cz
 1 s:/C=CZ/ST=Czech republic/L=Prague/O=CZ.NIC/OU=Labs/emailAddress=michal.vaner@nic.cz
   i:/C=CZ/ST=Czech republic/L=Prague/O=CZ.NIC/OU=Labs/emailAddress=michal.vaner@nic.cz
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFizCCA3MCCQDXtHmYUVxepjANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJD
WjEXMBUGA1UECAwOQ3plY2ggcmVwdWJsaWMxDzANBgNVBAcMBlByYWd1ZTEPMA0G
A1UECgwGQ1ouTklDMQ0wCwYDVQQLDARMYWJzMSIwIAYJKoZIhvcNAQkBFhNtaWNo
YWwudmFuZXJAbmljLmN6MB4XDTE3MDEwOTE0NDUxOVoXDTE5MTAwNjE0NDUxOVow
gZMxCzAJBgNVBAYTAkNaMRcwFQYDVQQIDA5DemVjaCByZXB1YmxpYzEPMA0GA1UE
BwwGUHJhZ3VlMQ8wDQYDVQQKDAZDWi5OSUMxDTALBgNVBAsMBExhYnMxFjAUBgNV
BAMMDWFwaS50dXJyaXMuY3oxIjAgBgkqhkiG9w0BCQEWE21pY2hhbC52YW5lckBu
aWMuY3owggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDF/T+nareZMejR
QXOR0Zf7uh7/3Vsh6N0Bhk1rxNOBmKR6q1Xznc8qnlypNsxwZrIVO/sRD8ZMLZxB
rtLEK1zSm76rea0SJxrBXFrzV0EOUZXBBGZLlb2+I+GpFnnIyW2dXKPoGdrXqzp6
.
.
.
.
GL+5zf7otIY+5ctpv98a3m8eJQ55wB93Pqh2ln5G9/ImCxtxEFHdaHy8B5dTKpZf
CM94RDqabNQd33XidBEIMp9skmmQubJLlczJrGU9nopdvH4yK3kWSUmmbo9TKNtb
XPxch+LVHCskxvcgDgJOd+Yb43XnyZnxQCabt87FYAvVSkpBRt8aB8L/htuZemQW
nLPMQ6zV5jkkOwrKG/R+lvASR8aPWT5xxgXX/QiAACGPzd1yr5zNMTc1YPL6F+Q3
Sdxki0Ll9tE/t1H7BqORFcGDbHeTFnnXBa6t+CVd+aSqFgER4H66cjY7rQTT4jay
50u89PP8dm8LjrefS6CToIupqWNJQ1jMctueZFRMEQ==
-----END CERTIFICATE-----
subject=/C=CZ/ST=Czech republic/L=Prague/O=CZ.NIC/OU=Labs/CN=api.turris.cz/emailAddress=michal.vaner@nic.cz
issuer=/C=CZ/ST=Czech republic/L=Prague/O=CZ.NIC/OU=Labs/emailAddress=michal.vaner@nic.cz
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
---
SSL handshake has read 3040 bytes and written 586 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 3844E39E5DC7D384E82677BA18668CBD2CD010E581603843CAFEAAA226CC1132D9A11CF4A4E393D74A79D744990AB67E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1567944674
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
root@turris:~# gnutls-cli -V api.turris.cz:5679
-ash: gnutls-cli: not found
root@turris:~# ncat --ssl -v api.turris.cz 5679
-ash: ncat: not found
root@turris:~#

anon50890781 · September 8, 2019, 12:18pm

Just noticed that the certificate has actually expired

verify error:num=10:certificate has expired
notAfter=Sep  5 13:38:49 2019 GMT

anon50890781 · September 8, 2019, 12:21pm

Those two package are not shipping by default and would need to be installed by the user, I just mentioned them for the sake of completeness

JardaB · September 8, 2019, 12:22pm

This is a problem with me or on the server side ?

anon50890781 · September 8, 2019, 12:26pm

You got basic TLS connectivity and thus the cause would not seem to be your end. But with the certificate being expired I would reckon that being a server side issue.

JardaB · September 8, 2019, 12:32pm

root@turris:~# gnutls-cli -V api.turris.cz:5679
Processed 512 CA certificate(s).
Resolving 'api.turris.cz:5679'...
Connecting to '217.31.192.101:5679'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - X.509 Certificate Information:
        Version: 1
        Serial Number (hex): 00d7b47998515c5ea6
        Issuer: EMAIL=michal.vaner@nic.cz,OU=Labs,O=CZ.NIC,L=Prague,ST=Czech republic,C=CZ
        Validity:
                Not Before: Mon Jan 09 14:45:19 UTC 2017
                Not After: Sun Oct 06 14:45:19 UTC 2019
        Subject: EMAIL=michal.vaner@nic.cz,CN=api.turris.cz,OU=Labs,O=CZ.NIC,L=Prague,ST=Czech republic,C=CZ
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: High (4096 bits)
                Modulus (bits 4096):
                        00:c5:fd:3f:a7:6a:b7:99:31:e8:d1:41:73:91:d1:97
                        fb:ba:1e:ff:dd:5b:21:e8:dd:01:86:4d:6b:c4:d3:81
                        98:a4:7a:ab:55:f3:9d:cf:2a:9e:5c:a9:36:cc:70:66
                        .
                        .
                        e2:59:24:9c:f6:7d:eb:56:5e:6b:43:8b:21:a5:33:62
                        d4:96:43:8e:38:25:2b:46:72:10:a1:6a:aa:9b:be:db
                        75
                Exponent (bits 24):
                        01:00:01
        Signature Algorithm: RSA-SHA256
        Signature:
                37:f4:56:41:7c:71:b5:22:25:bf:f0:3b:e7:14:d0:8d
                56:bc:b6:9a:6d:63:5d:27:92:0f:fd:8f:b2:95:2f:6d
                e8:56:52:41:a3:d9:d1:04:71:69:17:93:dc:04:7e:81
                .
                .
                .
                a4:aa:16:01:11:e0:7e:ba:72:36:3b:ad:04:d3:e2:36
                b2:e7:4b:bc:f4:f3:fc:76:6f:0b:8e:b7:9f:4b:a0:93
                a0:8b:a9:a9:63:49:43:58:cc:72:db:9e:64:54:4c:11
Other Information:
        Fingerprint:
                sha1:4f5fd13c030a7993b40a546794964abb2782b176
                sha256:ee8e2180f84c9c05c17e1d93e47052a4d409280758902c7c2839bf846af2645c
        Public Key ID:
                sha1:19db715c9368d3a243e6b8980eb1a168ddeb56e3
                sha256:7bbbcdb2560e880deffdc11bb4ee0078269e171097b08bb98e0e23c4325ee477
        Public Key PIN:
                pin-sha256:e7vNslYOiA3v/cEbtO4AeCaeFxCXsIu5jg4jxDJe5Hc=


-----BEGIN CERTIFICATE-----
MIIFizCCA3MCCQDXtHmYUVxepjANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJD
WjEXMBUGA1UECAwOQ3plY2ggcmVwdWJsaWMxDzANBgNVBAcMBlByYWd1ZTEPMA0G
.
.
.
nLPMQ6zV5jkkOwrKG/R+lvASR8aPWT5xxgXX/QiAACGPzd1yr5zNMTc1YPL6F+Q3
Sdxki0Ll9tE/t1H7BqORFcGDbHeTFnnXBa6t+CVd+aSqFgER4H66cjY7rQTT4jay
50u89PP8dm8LjrefS6CToIupqWNJQ1jMctueZFRMEQ==
-----END CERTIFICATE-----

- Certificate[1] info:
 - X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 00987d5eef075ad9f6
        Issuer: EMAIL=michal.vaner@nic.cz,OU=Labs,O=CZ.NIC,L=Prague,ST=Czech republic,C=CZ
        Validity:
                Not Before: Fri Dec 09 13:38:49 UTC 2016
                Not After: Thu Sep 05 13:38:49 UTC 2019
        Subject: EMAIL=michal.vaner@nic.cz,OU=Labs,O=CZ.NIC,L=Prague,ST=Czech republic,C=CZ
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: High (4096 bits)
                Modulus (bits 4096):
                        00:c9:10:88:90:c1:5d:1b:c5:7a:d2:09:21:82:8c:d4
                        12:8f:cc:19:75:16:8b:98:91:ff:36:79:ea:14:37:63
                        25:75:ab:d8:0c:8c:b1:75:aa:8f:9a:dd:11:b9:2e:fa
                         .
                         .
                         .
                        94:6a:1b:01:80:81:a1:10:04:c8:56:4e:2b:ff:c9:e9
                        30:48:cb:68:83:c3:17:4f:f9:77:a5:fb:fc:82:ae:dc
                        2e:e5:61:63:e7:72:2e:c7:93:3a:e8:95:01:1a:b3:1f
                        6b
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Subject Key Identifier (not critical):
                        a112ee13cb4c1615e79573b221218e06d47c4f0a
                Authority Key Identifier (not critical):
                        a112ee13cb4c1615e79573b221218e06d47c4f0a
                Basic Constraints (not critical):
                        Certificate Authority (CA): TRUE
        Signature Algorithm: RSA-SHA256
        Signature:
                91:30:84:85:53:ad:b4:ea:97:70:11:a4:d7:67:5d:ca
                7b:e7:f9:75:26:cf:b9:59:53:47:ad:16:7d:4a:2f:7f
                f2:22:b8:7c:73:ba:41:21:6a:1c:62:be:7f:3c:14:78
                .
                .
                .
                fd:ae:a5:a9:f3:d7:29:a3:9f:59:55:7c:29:59:03:e8
                66:a2:a4:1f:3b:8d:01:cb:bd:32:7e:63:55:a3:7c:e7
                1c:fc:ef:5a:fd:d2:ee:60:c5:2f:22:05:27:b3:6b:f0
Other Information:
        Fingerprint:
                sha1:5b79f221d8e8a58324f895c0bd2c6b3af10c94ef
                sha256:a6f917c39a0ca2b5abb552f6f3e80615181abf8e012c37131a56743459919e38
        Public Key ID:
                sha1:501b58b726a09b231abcd2b7cec705fbde2790b5
                sha256:416fab47d3f4898c07b3d85388b624221a91324a8a6ffd0df38469aefc015430
        Public Key PIN:
                pin-sha256:QW+rR9P0iYwHs9hTiLYkIhqRMkqKb/0N84RprvwBVDA=


-----BEGIN CERTIFICATE-----
MIIFyTCCA7GgAwIBAgIJAJh9Xu8HWtn2MA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV
BAYTAkNaMRcwFQYDVQQIDA5DemVjaCByZXB1YmxpYzEPMA0GA1UEBwwGUHJhZ3Vl
.
.
.
EF/OBw+KroasxgyJ9YdePMICg2j3B2qc/xT9POYBCwiJrO520XeJXzuEAiI+/a6l
qfPXKaOfWVV8KVkD6GaipB87jQHLvTJ+Y1WjfOcc/O9a/dLuYMUvIgUns2vw
-----END CERTIFICATE-----

- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
root@turris:~#

x

root@turris:~# ncat --ssl -v api.turris.cz 5679
Ncat: OpenSSL isn't compiled in. The --ssl option cannot be chosen. QUITTING.
root@turris:~#

I am just after reinstalling the system on an SSD mSATA from the backup image Schnapps… Such a collision caught my eye and I attributed problems to myself

anon50890781 · September 8, 2019, 12:36pm

We are using different branches of TOS and thus ncat apparently not working with TLS/SSL your end.

I am not sure but that seems to be the cause of the matter.

@vojtech.myslivec perhaps you could get in touch with whomever is in charge of certificate maintenance for the turris.cz back-end and get it sorted?

vojtech.myslivec · September 8, 2019, 2:06pm

OMG, uCollect has another certificate It should really die ASAP

Thanks for the info, we will focus on it this week.

anon50890781 · September 8, 2019, 7:18pm

Is only uCollect utilizing that api/port/cert or other apps eventually too, e.g. cloud backup?

vojtech.myslivec · September 8, 2019, 7:29pm

AFAIK this issue affects only uCollect itself, i.e. optional data collection from the router.

Cloud backups should not be affected as it use different services which are not connected to uCollect. I have tried to make a cloud backup on my router at the moment and it was created without any problem.

tonyquan · September 8, 2019, 11:01pm

@vojtech.myslivec BTW what will replace uCollect if I may ask?

vojtech.myslivec · September 8, 2019, 11:22pm

It is called Turris:Sentinel. You can test it already and it was published in the post Trying new data collecting system Sentinel

anon50890781 · September 8, 2019, 11:26pm

forum search ucollect replace

vojtech.myslivec · September 9, 2019, 11:44am

We had deployed a new (and probably the last) certificate for uCollect. It will be shipped as part of TOS 3.11.7 which will be in RC soon.

JardaB · September 9, 2019, 4:44pm

Should the sentinel-proxy process be installed and running in the current version ?

sentinel-certgen
sentinel-nikola
sentinel-proxy