Skip to content
Permalink
Browse files
This closes #256
  • Loading branch information
tbouron committed Jun 5, 2018
2 parents e066c9c + 4219028 commit 9bf6a18bca84003e634043024b2961379c301f99
Showing 3 changed files with 29 additions and 4 deletions.
@@ -104,8 +104,8 @@ example, execute `sudo iptables -n --list` and `iptables -t nat -n --list`.
## Cloud firewalls
Some clouds offer a firewall service, where ports need to be explicitly listed to be reachable.

For example, [security groups for EC2-classic]
(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#ec2-classic-security-groups)
For example,
[security groups for AWS EC2](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html)
have rules for the protocols and ports to be reachable from specific CIDRs.

Check these settings via the cloud provider's web-console (or API).
@@ -189,3 +189,27 @@ traffic filtering such as child-safe type filtering:

To resolve this try disabling traffic filtering and setting your DNS to a public server such as 8.8.8.8 to use google
[DNS](https://www.wikiwand.com/en/Google_Public_DNS). [See here](https://developers.google.com/speed/public-dns/docs/using) for details on how to configure this.


## Download with Curl Fails on CentOS 7.0 due to TLS Negotiation

When downloading an install artifact with Curl, using CentOS 7.0, one can get the failure shown below:

curl: (35) Peer reports incompatible or unsupported protocol version.

This can be caused by incompatible TLS negotiation with the web server (e.g. with github). For more details, see
[Red Hat bug 1170339, "use the default min/max TLS version provided by NSS [RHEL-7]"](https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1170339).

To confirm this is the issue, try running the failing curl command on the same machine with `curl -v` for verbose output.
You should see a more detailed error such as:

NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
Cannot communicate securely with peer: no common encryption algorithm(s).
Closing connection 1

Possible workarounds include:

1. Use a more recent version of CentOS. On AWS, a good choice is the most recent centos.org image from the
[AWS marketplace](https://aws.amazon.com/marketplace/pp/B00O7WM7QW). However, this involves first subscribing to it in the marketplace. The Amazon Linux AMI is another good choice, but this is not a normal CentOS image so it depends what distro(s) the entity was developed/tested against.

2. Change your blueprint to first do `sudo yum update -y curl nss`, before the curl command is executed.
@@ -40,8 +40,9 @@ in the run directory (such as console output).
It is worth checking that the process is running, e.g. using `ps aux` to look for the desired process.
Some entities also write the pid of the process to `pid.txt` in the run directory.

It is also worth checking if the required port is accessible. This is discussed in the guide
"Troubleshooting Server Connectivity Issues in the Cloud", including listing the ports in use:
It is also worth checking if the required port is accessible. This is discussed in the troubleshooting guide
[Server Connectivity]({{book.path.docs}}/ops/troubleshooting/connectivity.md),
including listing the ports in use:
execute `netstat -antp` (or on OS X `netstat -antp TCP`) to list the TCP ports in use (or use
`-anup` for UDP).

0 comments on commit 9bf6a18

Please sign in to comment.