-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] salt-master not running, unable to read key master.pem #57710
Comments
Just for my understanding: did you upgrade to 3001 and see this error or you did upgrade to Ubuntu 16 from 14? If it's upgrade to 16, did you reinstall all Ubuntu packages afterwards? |
The server has been upgraded to 16.04 for some time now.. upgrade to 3001 happened while on 16.04.. As far as I can see in my apt log, the following tried to update last night, and failed:
However there nothing pending when I run apt update, apt upgrade or apt dist-upgrade now |
Checking some of the failed packages tells me that the are indeed installed, and with correct versions:
|
Could you backup |
That did the trick.. I did however need to do this on around 70 minions.. But is up and running again |
Hey @rj-dsl are we able to close this issue? It looks like you're good to go, but sorry about the manual effort required ... |
yes, sorry :) |
Having the same issues after upgrading from 3000.3+ds-1 to 3001+ds-1 on Ubuntu Server 18.04 LTS. The master keys were not changed for 7 years. Is there any other solution except regenerate the master keys? It's not always easy to copy the new public key over to all minions through a separate channel… Thanks! |
For people trying to get back to previous versions… It's not enough to downgrade to 3000.3, e.g. with:
You'll also have to purge
|
I have a similar setup - 16.04 with old master keys, going from 3000 to 3001. I am not looking forward to manually re-accepting keys on 2000 servers. This should be in the release notes. |
Definitely not fun, but at least the master public key being a mismatch is not a hard error. Meaning the minion won't die and will retry, so you can do something like:
The issue will come from any minions that aren't connected or fail to restart, of which there will certainly be in big installs. At least you don't have to around restarting all minions OOB though. |
Hello. This is only for the record since I hit the same issue. My problem comes from pycrptodome consistency check: >>> from Cryptodome.PublicKey import RSA
>>> path = '/etc/salt/pki/master/master.pem'
>>> key_fh = open(path)
>>> RSA.importKey(key_fh.read())
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3/dist-packages/Cryptodome/PublicKey/RSA.py", line 727, in import_key
return _import_keyDER(der, passphrase)
File "/usr/lib/python3/dist-packages/Cryptodome/PublicKey/RSA.py", line 670, in _import_keyDER
raise ValueError("RSA key format is not supported")
ValueError: RSA key format is not supported I bypass this issue by installing the preferred M2Crypto library which does not trigger this issue: >>> from M2Crypto import RSA
>>> path = '/etc/salt/pki/master/master.pem'
>>> RSA.load_key(path)
<M2Crypto.RSA.RSA object at 0x7fd2a03f3c88> |
Thanks to @baby-gnu that also worked for me. Installed M2Crypto 0.38.0 and then upgraded to the latest salt |
Description
Salt-master refused to start after reboot, citing
Unable to read key: /etc/salt/pki/master/master.pem; passphrase may be incorrect
as the issueSetup
Running on Ubuntu 16.04 that has been updated from 14.04 quite a while ago.. Upstart is installed along systemd, service as been running fine for a few years like this.
Steps to Reproduce the behavior
salt-master debug:
Expected behavior
That it works :/
Screenshots
If applicable, add screenshots to help explain your problem.
Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: