Failed to connect to controller during registration

[Xavier Maysonnave]

Hi Federico,

1 - Right now the router do not contact the controller. I got the following from logread :

Failed to connect to controller during registration: curl exit code 48 who means as far as I found.

CURLE_UNKNOWN_OPTION (48)

     An option passed to libcurl is not recognized/known. Refer to the appropriate documentation. This is most likely a problem in the program that uses libcurl. The error buffer might contain more specific information about which exact option it concerns.

- Firmware Version: 

LEDE Reboot 17.01-SNAPSHOT r3141-02515f0187 / LuCI lede-17.01 branch (git-17.038.75860-1f014bd21)

-   curl version:

root@LEDE:/etc/config# curl --version

curl 7.52.1 (mipsel-openwrt-linux-gnu) libcurl/7.52.1 mbedTLS/2.4.0

Protocols: file ftp ftps http https  

Features: IPv6 Largefile SSL

- here is my current config : 

config controller 'http'
   # change the values of the following 2 options
   option url 'an_ip_address'
   option shared_secret 'a_shared_secret' <- the same 'a_shared_secret' I use in my playbook.yml openwisp2_shared_secret variable.
   list unmanaged 'system.@led'
   list unmanaged 'network.loopback'
   list unmanaged 'network.@switch'
   list unmanaged 'network.@switch_vlan'

2 -  I started to study the openwisp-config code and realized some assumptions like the SSID should be LEDE or OpenWrt. I wanted to use my own numbering system.

Forget that question from the previous thread as I wasn't clearly awaked ;-)

Thanks

[Federico Capoano]

Hi Xavier,

regarding problem 1, is the value you put in place of "an_ip_address" something like "https://10.8.0.1" ? That value must be a URL.

The CURL version is different, it may have happened that some arguments that we are using with older curl versions are not valid anymore in the latest release.

I haven't been testing LEDE recently, so I need to test it again.

Federico

[Xavier Maysonnave]

Hi Federico,

I tried at the command line to perform the curl command and got interresting result.

The first trap was a more accurate answer 'no URL specified!'

1 - This one is easy to fix if you escape the --data secret=....&key=... with a single quote 'secret=....&key=...'

The ampersand seems to be guilty in that case, the command line is cut and the program is sent to the background <- probably I should open a bug report on that one

By doing this my URL is now found

2 - Then as I use the default ansible-openwisp2 my controller is behind HTTPS.

I use the minimal-config found in the documentation and I realized after watching your screencast (very useful)

that I needed to specify https in my URL

Then one more time I made a step forward.

3 - When I do a simple curl like:

curl https://192.168.10.13/controller/register/

I got the following error message:

curl: (77) Error reading ca cert file /etc/ssl/certs/ca-certificates.crt - mbedTLS: (-0x3E00) PK - Read/write of file failed

When googling it appears that historically there are some issues with ssl implementation (PolarSSL, OpenSSL,...)

however with:

curl -k https://192.168.10.13/controller/register/

on the server side in the log file /opt/openwisp2/log/nginx.access.log I see for the first time my router:

192.168.10.235 - - [13/Feb/2017:16:01:22 +0530] "GET /controller/register/ HTTP/1.1" 405 5 "-" "curl/7.52.1"

Here I am right now as I think that my current problem comes from an SSL issue.

I'm wondering what's the recommended SSL implementation you could suggest.

- PolarSSL

- OpenSSL

- CyaSSL

Thanks

[Federico Capoano]

Have you checked that "/etc/ssl/certs/ca-certificates.crt" actually exists?

OpenSSL is slightly larger but is not giving me any issue so I'm going with that.

PolarSSL has been recently deprecated in favour of mbedtls, but I haven't added support for that library in openwisp-config yet, nor I have tried it.

Haven't tried CyaSSL.

Therefore the best option at the moment is OpenSSL.

Federico

[Xavier Maysonnave]

Hi Federico,

Thanks for your feedback on the various SSL libraries.

Yes the ca-certificates.crt exists but I found while searching that some people use a pem file. 

Took that info with caution as it's not quite sure yet as it's not related with my lede 17.01 firmware.

By the way I also use OpenSSL.

Tell me as well if I open a bug report about the escapes I needed to add around the --data parameter content ?

I keep you informed.

Thanks.

[Federico Capoano]

Regarding the bug report, I haven't understood very well.

Are you saying that using some characters like a quote in the shared_secret breaks openwisp-config?

Federico

[Xavier Maysonnave]

Hi Federico,

in the file /usr/sbin/openwisp_config:

        $($FETCH_COMMAND -i --data '$params' $REGISTRATION_URL > $REGISTRATION_PARAMETERS)
       local exit_code=$?
       # report eventual failures and return
       if [ "$exit_code" != "0" ]; then
               logger -s "Failed to connect to controller during registration: curl exit code $exit_code" \
                      -t openwisp \
                      -p daemon.err
               return 1
       fi

I escaped the $params with quotes -> '$params' otherwise when I run the command manually the command is cut at the first ampersand found and the command is sent to the background.

To avoid this issue I needed to escape the $params.

I think we don't need to escape the $params in the script but at the command line we you have to. Not sure if its a real issue but it doesn't hurt.

Thanks

[Federico Capoano]

Ok, now I understand, thank you for the explaination.

I wouldn't change the code unless there is a bug.

I maintain this philosophy in order to avoid to keep fiddling with the code, which is something I did a lot in the past: I was obsessed with making it perfect but this obsession brought more problems than advantages.

Federico

[Xavier Maysonnave]

Hi Federico,

1 - I found the reason while curl was not working. As a reminder I got the following error;

curl: (77) Error reading ca cert file /etc/ssl/certs/ca-certificates.crt - mbedTLS: (-0x3E00) PK - Read/write of file failed

In a previous message you told me that PolarSSL is now deprecated in favour of mbedTLS. I started to investigate why I got mbedTLS as an error while I was supposed to use OpenSSL.

I discovered that by default libcurl has a dependency towards by default with mbed TLS. I changed this behavour and requested a dependency towards OpenSSL.

That way I started to got a curl error 60 rather the 48 I had since the beginning.

2 - I finally got the configuration from the server but to do that I needed to add the parameter -k to curl in /usr/sbin/openwisp_config:

FETCH_COMMAND="curl -k -s --connect-timeout $CONNECT_TIMEOUT --max-time $MAX_TIME --capath $CAPATH"
That as the CA in not known from the router it crashes while adding the -k everything works as expected.

It sounds to me that if the CA is not generated by default to the router firmware it will always crash.

Thanks

[Federico Capoano]

Hi Xavier,

That's easy, just set verify_ssl in openwisp-config to 0 and you are ready to go. You didn't need to hardcode that change into the code.

The -k option tells curl to skips the SSL verification according to the list of trusted certificates. Not the most secure thing to do, but good for the short term..

Please read SSL certificate gotchas on ansible-openwisp2.

For the long term I suggest you to setup a valid domain name for your openwisp2 instance (eg: openwisp.myproject.com) and get a valid SSL certificate via letsencrypt. I would like to add the optional possibility automate this task via ansible-openwisp2, but I can't do this right now because I'm busy working on other features of openwisp2.

I suggest you to read carefully the README of each module you use, it will save you a LOT of time. It will also help me to understand if something is missing or not clear in the docs. As usual, if you have any suggestion to improve the docs please send it here or on github.

Federico

--
You received this message because you are subscribed to the Google Groups "OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Xavier Maysonnave]

Hi Federico,

Thanks for the trick it does the job.

I agree it's a short term solution.

I was exactly investigated this idea.

- Let's encrypt gives you a validity of 90 days. There is a tool called certbot who help to deploy and regenerate the certificates. I love the idea to automate that.

- CACert.org is more flexible but not known as a root CA.

Thanks

[Federico Capoano]

Great to know it worked for you.

I knew CaCert but never had a chance to try it and since letsencrypt has become so popular and well documented I already started to think about integrating it.

I created a new issue for this task: https://github.com/openwisp/ansible-openwisp2/issues/7

Federico

[Federico Capoano]

I just opened a new thread OpenWISP2 + letsencrypt SSL.

F.

[Jon Mitchell]

So I started to see this issue as well.

After removing --ca-certs flag from the curl command in /usr/sbin/openwisp_config I was able to successfully register my LEDE based devices.

I am using a commercial cert on the openwisp2 server.

[Federico Capoano]

Hi Jon,

strange, this seems different than the issue Xavier was having. Could you give us a bit more background about the bug so we can try to replicate it? Short answers to these questions would be useful:

• What errors did you get in the log?
  
• Is the SSL signed by a trusted CA which signature is presents in the certificates published in the openwrt package "ca-certificates"?
  
• What version of LEDE are you using? 17.01 or trunk?

I do not like that users have to modify the source code of the package. If there's a bug I want to fix it, if it's a misconfiguration I want to add a big warning in the docs about this possibility.

Thank you for reporting.

Federico

[Federico Capoano]

I tested openwisp-config on LEDE 17 and just found out the cause of this issue Jon is describing.

On LEDE 17, curl is compiled by default in a way that disables support for the capath argument.

See also https://forum.lede-project.org/t/capath-not-supported-by-libcurl-with-mbedtls-support/947/7

The workaround we are applying is to explicitly compile curl with openssl so that the capath is accepted  (as it was before).

We add this in our lede .config file:

CONFIG_LIBCURL_OPENSSL=y

We are updating the ansible imagegenerator role in order to add compatibility with LEDE 17, you can see the development branch at:

https://github.com/openwisp/ansible-openwisp2-imagegenerator/commits/lede-17

Federico

[Xavier Maysonnave]

Hi Federico,

Thanks for this feedback.

I suppose it is why I get rid off this problem as I explicitly required curl to be in dependency with openssl thus compiling LEDE the proper way and solving my curl code 48.

Am I right ?

Thanks

[Federico Capoano]

Yes, I confirm that.

The solution is not optimal unfortunately because it means openwisp-config cannot be used with mbedtls or cyassl and some people do not like to use openssl because it's 500kb more than mbedtls or cyassl.

I don't know what to do at the moment. I will stick to openssl because it requires less work for me as my time is very limited and the list of things to do is huge.

Federico

[Federico Capoano]

I have created an issue for this bug in the openwisp-config repository: https://github.com/openwisp/openwisp-config/issues/27

[Alvaro Mendez]

I have same problem, follow this conversation but not have any solution.

i unistall openwisp-config-openssl and then install openwisp-config-mbedtls but same results:

Wed Mar 15 13:49:39 2017 daemon.info openwisp: OpenWISP config agent started
Wed Mar 15 13:49:39 2017 daemon.err openwisp: Failed to connect to controller while getting checksum: curl exit code 48

then i run manually curl:

root@LEDE:/etc/config# curl -k https://132.148.88.35/controller/register

and in the controller server i got:


[pid: 12574|app: 0|req: 237/320] 200.29.159.194 () {36 vars in 443 bytes} [Wed Mar 15 13:49:58 2017] GET /controller/register => generated 0 bytes in 2 msecs (HTTP/1.1 301) 3 headers in 136 bytes (1 switches on )

some other infromation here:

root@LEDE:/etc/config# uci show openwisp
openwisp.http=controller
openwisp.http.url='https://132.148.88.35/'
openwisp.http.interval='120'
openwisp.http.verify_ssl='0'
openwisp.http.shared_secret='354R$543##'
openwisp.http.consistent_key='1'
openwisp.http.mac_interface='eth0'
openwisp.http.merge_config='1'
openwisp.http.test_config='1'
openwisp.http.test_script='/usr/sbin/mytest'
openwisp.http.uuid='reweterwe'
openwisp.http.key='erwerwerwe'
openwisp.http.unmanaged='system.@led' 'network.loopback' 'network.@switch' 'network.@switch_vlan'
openwisp.http.connect_timeout='15'
openwisp.http.max_time='30'
openwisp.http.capath='/etc/ssl/certs'


root@LEDE:/etc/config# openwisp_config --version
openwisp-config 0.4.5

[Federico Capoano]

You must compile curl with openssl by adding this line into your .config file:

CONFIG_LIBCURL_OPENSSL=y

Alternatively, you may want to read this issue and try to patch openwisp-config:

https://github.com/openwisp/openwisp-config/issues/27

I explained the proposed solution in the issue but I don't have time to work on it right now.

Federico

[Federico Capoano]

I pushed some changed to openwisp-config that should have fixed this annoying problem.

So the latest openwisp-config (unreleased) version taken from github should work also with the default LEDE installation which has curl compiled with mbedtls.

If anyone finds any issue related to this problem even after having upgraded to this latest version, please let me know by reopening issue #27 on github.

Federico