API calls to Red Hat Satellite 6 fail intermittently on LDAP authentication

Solution Verified - Updated

Environment

  • Red Hat Satellite 6

Issue

  • Error while connecting to LDAP server after upgrade from Red Hat Satellite 6.11 to 6.12.

  • When running various API calls from various user accounts to Satellite, they sometimes fail with:

    { "error": { "message": "ERF77-7629 [Foreman::LdapException]: Error while connecting to 'server.com' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: Connection reset by peer - SSL_connect)" } }

  • The same issue was observed on Red Hat Satellite 6.13 with Active Directory (running on Windows Server 2016) configured as an external authentication source.

Resolution

  • Disable the cipher from OpenSSL on Satellite server:

    • Check the current crypto policy used:
    update-crypto-policies --show
    • Make a backup of this configuration:
    MYPOLICY=$(update-crypto-policies --show)
cp -a /usr/share/crypto-policies/${MYPOLICY}/opensslcnf.txt{,.orig}
    • Disable cipher 'DHE-RSA-AES256-GCM-SHA384':
    sed -i -e '/^CipherString.*/s|$|:!DHE-RSA-AES256-GCM-SHA384|g' /usr/share/crypto-policies/${MYPOLICY}/opensslcnf.txt
    • Double-check the openssl ciphers:
    openssl ciphers | grep 'DHE-RSA-AES256-GCM-SHA384'
    • Double-check the openssl ciphers via ruby:
    echo "require 'openssl'; pp OpenSSL::SSL::SSLContext.new.ciphers; nil" | foreman-rake console

    Note: If you are seeing 'DHE-RSA-AES256-GCM-SHA384' cipher available yet, try to reboot and check again.

  • Check network connectivity: Ensure that you have network connectivity to the server (ldap.example.com) on port 636.

  • Verify certificate trust: Make sure that the CA certificate used by the LDAP server is present in the CA bundle file /etc/pki/tls/certs/ca-bundle.crt. This file contains trusted CA certificates for validating SSL/TLS connections. You can check the file contents or update it with the appropriate CA certificate.

  • Check for firewall or proxy issues: Ensure that there are no firewall rules or proxy configurations blocking the connection. Make sure that the LDAP server is not blocked by any proxy settings.

  • Verify LDAP server configuration: Double-check the LDAP server configuration (ldap.example.com) to ensure that it is correctly configured to accept SSL/TLS connections on port 636.

  • Red Hat Satellite Engineering are aware of this issue, and they are working on a fix based on an internal bug report.

  • For more KB articles/solutions related to Red Hat Satellite 6.x API Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x API Issues

Root Cause

  • The TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher occasionally returns an error code on Windows machines.

Diagnostic Steps

  • When you try to connect to the LDAP server, you can see the cipher it uses: 

    # openssl s_client -connect ldap.example.com:636
 CONNECTED(00000003)
 <snip>
 ---
 SSL handshake has read 5222 bytes and written 491 bytes
 ---
 New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
 Server public key is 2048 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 No ALPN negotiated
 SSL-Session:
 Protocol  : TLSv1.2
 <snip>
 Verify return code: 0 (ok)

  • Local ciphers getting 'DHE-RSA-AES256-GCM-SHA384' available:

       # openssl ciphers | grep 'DHE-RSA-AES256-GCM-SHA384'
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-CCM:AES128-GCM-SHA256:AES128-CCM:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM:PSK-AES128-GCM-SHA256:PSK-AES128-CCM:PSK-AES256-CBC-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM:DHE-PSK-AES256-CBC-SHA:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:RSA-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:RSA-PSK-AES256-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA

  • To troubleshoot communication issues between the Red Hat Satellite and the LDAP/AD server, you can use the following command to check network connectivity and communication.

       Satellite webUI -> Administer -> LDAP Authentication -> [Authentication Source Name] -> LDAP server -> Click on "Test Connection"   

   # ping -c 5 ldap.example.com
   # nslookup ldap.example.com
   # host ldap.example.com
   # tracepath -p 636 ldap.example.com
   # nc ldap.example.com 636 -v -w 60
   # curl -vv  ldaps://ldap.example.com
   # curl -vv  ldap://ldap.example.com
   # echo |openssl s_client -connect ldap.example.com:636
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.