Constant restarting of opscode-erchef – bad gateway

I’ve freshly installed Chef Server 12.7.0 on Ubuntu 16.04 LTS and opscode-erchef kept getting restarted approx every 40 seconds and was getting Bad Gateway error.

Checked the logs unfortunately, couldn’t conclude anything out of it. Found this open issue with Chef https://github.com/chef/chef-server/issues/435

By cleaning and re-configuring the server everything worked.

$ chef-server-ctl cleanse
$ chef-server-ctl reconfigure

 

Advertisements

Enable TLSv1.2 in CLM6 and LibertyProfile

By default on Liberty Profile only TLSv1 is enabled check by scanning port:

nmap –script ssl-enum-ciphers -p 9443 <hostname>

Starting Nmap 6.49BETA5 ( https://nmap.org ) at
Nmap scan report for fqdn.com (IP address)
Host is up (0.13s latency).
PORT STATE SERVICE
9443/tcp open tungsten-https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) – D
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) – A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange parameters of lower strength than certificate key
|_ least strength: D

Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds

Edit the following file to enable TLSv1.2:
1. <JazzInstallationDir>/server/server.startup:

…Dcom.ibm.java.diagnostics.healthcenter.agent.port=1972″
JAVA_OPTS=”$JAVA_OPTS -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2″

Save and exit the file

2. <JazzInstallationDir>/server/liberty/servers/clm/server.xml:

<logging hideMessage=”SRVE9967W”/>

<ssl id=”defaultSSLConfig” keyStoreRef=”defaultKeyStore” sslProtocol=”SSL_TLSv2″ />

</server>

Save and exit the file

Start CLM server again and test protocols:

nmap –script ssl-enum-ciphers -p 9443 <hostname>

Starting Nmap 6.49BETA5 ( https://nmap.org ) at
Nmap scan report for fqdn.com (IP address)
Host is up (0.13s latency).
PORT STATE SERVICE
9443/tcp open tungsten-https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) – D
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) – A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange parameters of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) – D
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) – A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange parameters of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) – D
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) – A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) – A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) – A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange parameters of lower strength than certificate key
|_ least strength: D

Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds

Modify Ubuntu ens network interface card to eth0

  1. Display current interface cards and verify that eth0 doesnt exist:
    ifconfig -a
  2. Edit grub file configuration to disable new naming convention
    vim /etc/default/grub
  3. Look for GRUB_CMDLINE_LINUX= include the following net.ifnames=0 biosdevname=0″
    From:
    GRUB_CMDLINE_LINUX=””
    To
    GRUB_CMDLINE_LINUX=”net.ifnames=0 biosdevname=0″
  4. Save and exit the file
  5. Reload grub config file:
    update-grub
  6. Edit interfaces file
    vim /etc/network/interfaces
    From:
    # The primary network interface
    auto ens16
    iface ens16 inet dhcpTo:
    # The primary network interface
    auto eth0
    iface eth0 inet dhcp
  7. Reboot your machine/Restart networking service

 

Reference:
https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/