[BlueOnyx:22351] Re: sysetmctl dbus errors after automatic updates

Michael Stauber mstauber at blueonyx.it
Wed Aug 22 17:17:06 -05 2018 

Hi Janwillem,

> Ticket sent

Thank you. It's an interesting problem that I haven't yet seen before.

As mentioned earlier:

/usr/sausalito/swatch/bin/am_nginx.pl makes an HTTPS connection to the
FQDN of your server and examines the HEAD request results. It looks like
this when I run the CURL-equivalent of this on one of my 5209Rs:

~]#  curl -i -I -k https://sol.smd.net
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 22 Aug 2018 22:52:15 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://sol.smd.net:444/
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

So we get a "301 Moved Permanently", but the Perl Script is fully
expecting that and treats it as OK. After all: We got a "good" response
and not a 403, 404, or 5XX message.

On your server the CURL request looks exactly the same (aside from the
URLs and we get the same "301 Moved Permanently".

But: On your server the Perl module LWP::UserAgent reports this back:

500 Server closed connection without sending any data back

The Nginx error log has some further hints:

SSL_do_handshake() failed (SSL: error:1417D102:SSL
routines:tls_process_client_hello:unsupported protocol) while SSL
handshaking, client: X.X.X.X, server: 0.0.0.0:443

I replaced your servers IP with X.X.X.X here.

So your LWP::UserAgent Perl module has problems talking to your Nginx
via TLSv1.2 and doesn't support either the protocol or chiffres that
Nginx uses.

But: You're using the "stock" protocols and chiffres that the BlueOnyx
5209R Nginx uses: /etc/nginx/ssl_proto_chiffres.conf

I tried to verify your Perl module installation and it looks good. I
even once pointed your script to one of my 5209R's with Nginx running to
see if it would throw an SSL error as well. Nope, it didn't:

]# /usr/sausalito/swatch/bin/am_nginx.pl
200 OK (FQDN = sol.smd.net)

I don't know what's the problem without digging a lot further. So
instead I just modified the script to (instead of using LWP::UserAgent)
it now uses this to check if Nginx is running:

$service_status = system("/sbin/service nginx status > /dev/null 2>&1")
== 0 ? 1 : 0;

    # Early return, because: 'It's dead, Jim!'
    if ($service_status eq '0') {
        return 0;
    }
    else {
        return 1;
    }

That works fine as well. It will now restart your Nginx only if Systemd
reports the service as dead or failed.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list