Ucollect failing talking to api.turris.cz port 5679

root@turris:~# gnutls-cli -V api.turris.cz:5679
Processed 512 CA certificate(s).
Resolving 'api.turris.cz:5679'...
Connecting to '217.31.192.101:5679'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - X.509 Certificate Information:
        Version: 1
        Serial Number (hex): 00d7b47998515c5ea6
        Issuer: EMAIL=michal.vaner@nic.cz,OU=Labs,O=CZ.NIC,L=Prague,ST=Czech republic,C=CZ
        Validity:
                Not Before: Mon Jan 09 14:45:19 UTC 2017
                Not After: Sun Oct 06 14:45:19 UTC 2019
        Subject: EMAIL=michal.vaner@nic.cz,CN=api.turris.cz,OU=Labs,O=CZ.NIC,L=Prague,ST=Czech republic,C=CZ
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: High (4096 bits)
                Modulus (bits 4096):
                        00:c5:fd:3f:a7:6a:b7:99:31:e8:d1:41:73:91:d1:97
                        fb:ba:1e:ff:dd:5b:21:e8:dd:01:86:4d:6b:c4:d3:81
                        98:a4:7a:ab:55:f3:9d:cf:2a:9e:5c:a9:36:cc:70:66
                        .
                        .
                        e2:59:24:9c:f6:7d:eb:56:5e:6b:43:8b:21:a5:33:62
                        d4:96:43:8e:38:25:2b:46:72:10:a1:6a:aa:9b:be:db
                        75
                Exponent (bits 24):
                        01:00:01
        Signature Algorithm: RSA-SHA256
        Signature:
                37:f4:56:41:7c:71:b5:22:25:bf:f0:3b:e7:14:d0:8d
                56:bc:b6:9a:6d:63:5d:27:92:0f:fd:8f:b2:95:2f:6d
                e8:56:52:41:a3:d9:d1:04:71:69:17:93:dc:04:7e:81
                .
                .
                .
                a4:aa:16:01:11:e0:7e:ba:72:36:3b:ad:04:d3:e2:36
                b2:e7:4b:bc:f4:f3:fc:76:6f:0b:8e:b7:9f:4b:a0:93
                a0:8b:a9:a9:63:49:43:58:cc:72:db:9e:64:54:4c:11
Other Information:
        Fingerprint:
                sha1:4f5fd13c030a7993b40a546794964abb2782b176
                sha256:ee8e2180f84c9c05c17e1d93e47052a4d409280758902c7c2839bf846af2645c
        Public Key ID:
                sha1:19db715c9368d3a243e6b8980eb1a168ddeb56e3
                sha256:7bbbcdb2560e880deffdc11bb4ee0078269e171097b08bb98e0e23c4325ee477
        Public Key PIN:
                pin-sha256:e7vNslYOiA3v/cEbtO4AeCaeFxCXsIu5jg4jxDJe5Hc=


-----BEGIN CERTIFICATE-----
MIIFizCCA3MCCQDXtHmYUVxepjANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJD
WjEXMBUGA1UECAwOQ3plY2ggcmVwdWJsaWMxDzANBgNVBAcMBlByYWd1ZTEPMA0G
.
.
.
nLPMQ6zV5jkkOwrKG/R+lvASR8aPWT5xxgXX/QiAACGPzd1yr5zNMTc1YPL6F+Q3
Sdxki0Ll9tE/t1H7BqORFcGDbHeTFnnXBa6t+CVd+aSqFgER4H66cjY7rQTT4jay
50u89PP8dm8LjrefS6CToIupqWNJQ1jMctueZFRMEQ==
-----END CERTIFICATE-----

- Certificate[1] info:
 - X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 00987d5eef075ad9f6
        Issuer: EMAIL=michal.vaner@nic.cz,OU=Labs,O=CZ.NIC,L=Prague,ST=Czech republic,C=CZ
        Validity:
                Not Before: Fri Dec 09 13:38:49 UTC 2016
                Not After: Thu Sep 05 13:38:49 UTC 2019
        Subject: EMAIL=michal.vaner@nic.cz,OU=Labs,O=CZ.NIC,L=Prague,ST=Czech republic,C=CZ
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: High (4096 bits)
                Modulus (bits 4096):
                        00:c9:10:88:90:c1:5d:1b:c5:7a:d2:09:21:82:8c:d4
                        12:8f:cc:19:75:16:8b:98:91:ff:36:79:ea:14:37:63
                        25:75:ab:d8:0c:8c:b1:75:aa:8f:9a:dd:11:b9:2e:fa
                         .
                         .
                         .
                        94:6a:1b:01:80:81:a1:10:04:c8:56:4e:2b:ff:c9:e9
                        30:48:cb:68:83:c3:17:4f:f9:77:a5:fb:fc:82:ae:dc
                        2e:e5:61:63:e7:72:2e:c7:93:3a:e8:95:01:1a:b3:1f
                        6b
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Subject Key Identifier (not critical):
                        a112ee13cb4c1615e79573b221218e06d47c4f0a
                Authority Key Identifier (not critical):
                        a112ee13cb4c1615e79573b221218e06d47c4f0a
                Basic Constraints (not critical):
                        Certificate Authority (CA): TRUE
        Signature Algorithm: RSA-SHA256
        Signature:
                91:30:84:85:53:ad:b4:ea:97:70:11:a4:d7:67:5d:ca
                7b:e7:f9:75:26:cf:b9:59:53:47:ad:16:7d:4a:2f:7f
                f2:22:b8:7c:73:ba:41:21:6a:1c:62:be:7f:3c:14:78
                .
                .
                .
                fd:ae:a5:a9:f3:d7:29:a3:9f:59:55:7c:29:59:03:e8
                66:a2:a4:1f:3b:8d:01:cb:bd:32:7e:63:55:a3:7c:e7
                1c:fc:ef:5a:fd:d2:ee:60:c5:2f:22:05:27:b3:6b:f0
Other Information:
        Fingerprint:
                sha1:5b79f221d8e8a58324f895c0bd2c6b3af10c94ef
                sha256:a6f917c39a0ca2b5abb552f6f3e80615181abf8e012c37131a56743459919e38
        Public Key ID:
                sha1:501b58b726a09b231abcd2b7cec705fbde2790b5
                sha256:416fab47d3f4898c07b3d85388b624221a91324a8a6ffd0df38469aefc015430
        Public Key PIN:
                pin-sha256:QW+rR9P0iYwHs9hTiLYkIhqRMkqKb/0N84RprvwBVDA=


-----BEGIN CERTIFICATE-----
MIIFyTCCA7GgAwIBAgIJAJh9Xu8HWtn2MA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV
BAYTAkNaMRcwFQYDVQQIDA5DemVjaCByZXB1YmxpYzEPMA0GA1UEBwwGUHJhZ3Vl
.
.
.
EF/OBw+KroasxgyJ9YdePMICg2j3B2qc/xT9POYBCwiJrO520XeJXzuEAiI+/a6l
qfPXKaOfWVV8KVkD6GaipB87jQHLvTJ+Y1WjfOcc/O9a/dLuYMUvIgUns2vw
-----END CERTIFICATE-----

- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
root@turris:~#

x

root@turris:~# ncat --ssl -v api.turris.cz 5679
Ncat: OpenSSL isn't compiled in. The --ssl option cannot be chosen. QUITTING.
root@turris:~#

I am just after reinstalling the system on an SSD mSATA from the backup image Schnapps… Such a collision caught my eye and I attributed problems to myself

We are using different branches of TOS and thus ncat apparently not working with TLS/SSL your end.


I am not sure but that seems to be the cause of the matter.

@vojtech.myslivec perhaps you could get in touch with whomever is in charge of certificate maintenance for the turris.cz back-end and get it sorted?

OMG, uCollect has another certificate :man_facepalming: It should really die ASAP :pray:

Thanks for the info, we will focus on it this week.

1 Like

Is only uCollect utilizing that api/port/cert or other apps eventually too, e.g. cloud backup?

AFAIK this issue affects only uCollect itself, i.e. optional data collection from the router.

Cloud backups should not be affected as it use different services which are not connected to uCollect. I have tried to make a cloud backup on my router at the moment and it was created without any problem.

1 Like

@vojtech.myslivec BTW what will replace uCollect if I may ask?

It is called Turris:Sentinel. You can test it already and it was published in the post Trying new data collecting system Sentinel

forum search ucollect replace

1 Like

We had deployed a new (and probably the last) certificate for uCollect. It will be shipped as part of TOS 3.11.7 which will be in RC soon.

1 Like

Should the sentinel-proxy process be installed and running in the current version ?

sentinel-certgen
sentinel-nikola
sentinel-proxy

Hi @JardaB, I think I don’t get the question. Sentinel is new and optional data collection system for Turris devices.

If you want to install and try Sentinel, please see (and discuss) the topic I refer above: Trying new data collecting system Sentinel

In other words… the above-mentioned processes in the normal state (standard) should not be installed .

certgen is part of base as it handles mail notification password as well. nikola collects firewall data and proxy sends the data to our server, so these two are not installed by default

You mean sentinel-certgen and sentinel-nikola or nikola??

Some new types of syslog messages …

2019-09-12 15:42:15 warning ucollect[31682]: Throwing out connection 20 from [::ffff:157.245.74.53]:44306 accepted on 20 of fake server telnet, too many opened ones
2019-09-12 15:42:15 warning ucollect[31682]: Throwing out connection 20 from [::ffff:157.245.74.53]:44388 accepted on 20 of fake server telnet, too many opened ones
2019-09-12 15:42:15 warning ucollect[31682]: Throwing out connection 20 from [::ffff:157.245.74.53]:44442 accepted on 20 of fake server telnet, too many opened ones
2019-09-12 15:42:15 warning ucollect[31682]: Throwing out connection 20 from [::ffff:157.245.74.53]:44570 accepted on 20 of fake server telnet, too many opened ones
2019-09-12 15:42:15 warning ucollect[31682]: Throwing out connection 20 from 
xxx
2019-09-12 16:11:20 info ucollect[1230]: Reconnecting to api.turris.cz:5679 now
2019-09-12 16:11:20 crit ucollect[1230]: Too many login failures, giving up

Where is problem ? In syslog is no one error today.

Got a response from the developers on this, they are aware of the problem with this graph at project.turris.cz and working on fixing it.

The web project.turris.cz just wrongly shows uCollect server as down. It is correctly displayed since yesterday

2 Likes

This topic was automatically closed after 31 hours. New replies are no longer allowed.