Script suddently stop working (TLS error)

Kptainflintt

Hi,

I'm facing a new issue. All my provisionning is made with a xo-cli script.

Adding user is OK, but, when I create a network :

xo-cli sdnController.createPrivateNetwork \
        name="Reseau-Test" \
        poolIds=json:'["'3960dbc1-d43c-341a-0421-83d53db1968f'"]' \
        encapsulation="vxlan" \
        description="Réseau Test" \
        pifIds=json:'["f002e286-6e36-7841-0d9b-fd2b58740bd6","e6533dc2-c5e4-a669-9019-e6308029068b","cd753935-2158-566d-69e8-94a88c0e8d0f"]' 

An error is issued :

✖ JsonRpcError: C0DC61B8937F0000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1605:SSL alert number 48

    at Peer._callee$ (/home/uga/.nvm/versions/node/v22.17.0/lib/node_modules/xo-cli/node_modules/json-rpc-peer/dist/index.js:139:44)
    at Peer.<anonymous> (/home/uga/.nvm/versions/node/v22.17.0/lib/node_modules/xo-cli/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:52:18)
    at Generator.<anonymous> (/home/uga/.nvm/versions/node/v22.17.0/lib/node_modules/xo-cli/node_modules/@babel/runtime/helpers/regenerator.js:52:51)
    at Generator.next (/home/uga/.nvm/versions/node/v22.17.0/lib/node_modules/xo-cli/node_modules/@babel/runtime/helpers/regeneratorDefine.js:17:23)
    at asyncGeneratorStep (/home/uga/.nvm/versions/node/v22.17.0/lib/node_modules/xo-cli/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:17)
    at _next (/home/uga/.nvm/versions/node/v22.17.0/lib/node_modules/xo-cli/node_modules/@babel/runtime/helpers/asyncToGenerator.js:17:9)
    at /home/uga/.nvm/versions/node/v22.17.0/lib/node_modules/xo-cli/node_modules/@babel/runtime/helpers/asyncToGenerator.js:22:7
    at new Promise (<anonymous>)
    at Peer.<anonymous> (/home/uga/.nvm/versions/node/v22.17.0/lib/node_modules/xo-cli/node_modules/@babel/runtime/helpers/asyncToGenerator.js:14:12)
    at Peer.exec (/home/uga/.nvm/versions/node/v22.17.0/lib/node_modules/xo-cli/node_modules/json-rpc-peer/dist/index.js:182:20) {
  code: -32000,
  data: {
    code: 'ERR_SSL_TLSV1_ALERT_UNKNOWN_CA',
    library: 'SSL routines',
    message: 'C0DC61B8937F0000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1605:SSL alert number 48\n',
    name: 'Error',
    reason: 'tlsv1 alert unknown ca',
    stack: 'Error: C0DC61B8937F0000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1605:SSL alert number 48\n'
  }
}

"override-certs" is on, no changes on hosts.

Last run of this script was two weeks ago, with no issue.

EDIT : the networks are indeed created, this error seems to be non blocking. Owever, I did'nt see it before.

EDIT bis : the networks are effectively created in XAPI, not on hosts !

Kptainflintt

Hi,

After deleting certs in /etc/stunnel/certs on every hosts, and start/stop sdn-controller plugin on XOA, things came back to normal.

Have a good day.

olivierlambert

You have a cert issue, can be also due to a time mismatch between your machine, XO and the host.

Kptainflintt

@olivierlambert

I use only http for xo-cli, so I didn't understand why I have a CA error.

I think it's because I've launched a second XOA for trial testing.

Last week, with only one XO, no problem.

Kptainflintt

Hi,

After deleting certs in /etc/stunnel/certs on every hosts, and start/stop sdn-controller plugin on XOA, things came back to normal.

Have a good day.

olivierlambert

Excellent news! Thanks for the feedback