curl is not able to get response, RHEL 7.2

james000 · 09-20-2019, 09:34 PM

Hi,

I have two RHEL 7.2 servers and running below command. Though both servers are made in a similar way, one server can get the curl output with the required token, and another server not.
In below output, auth.lb.pre.vuspoint.com is load balancer and I can ping it from this server. This LB is pointing to two servers on backend, which have tokens. Below command (which is failing on this server, but working on other) is supposed to get token from any of those backend server.

Code:

[root@serv-portal3 ~]# curl -k --location --request POST "https://auth.lb.pre.vuspoint.com/auth/realms/PRE-REALM/protocol/openid-connect/token" --header "Content-Type: application/x-www-form-urlencoded" --data "client_secret=fd68ddbf-5740-4912-b714-1aaeb453fafc&grant_type=password&client_id=snapshotui_1.1&username=snapshotmpctestuser&password=snapshotmpc"
curl: (35) TCP connection reset by peer
[root@serv-portal3 ~]#
[root@serv-portal3 ~]# curl -v  -k --location --request POST "https://auth.lb.pre.vuspoint.com/auth/realms/PRE-REALM/protocol/openid-connect/token" --header "Content-Type: application/x-www-form-urlencoded" --data "client_secret=fd68ddbf-5740-4912-b714-1aaeb453fafc&grant_type=password&client_id=snapshotui_1.1&username=snapshotmpctestuser&password=snapshotmpc"
* About to connect() to auth.lb.pre.vuspoint.com port 443 (#0)
*   Trying 172.30.74.73...
* Connected to auth.lb.pre.vuspoint.com (172.30.74.73) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer
[root@serv-portal3 ~]#
[root@serv-portal3 ~]# openssl s_client -connect auth.lb.pre.vuspoint.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root@serv-portal3 ~]#

There is no firewall between this server and loadbalancer and to another server also, where LB is pointing. Network team says that it is server issue and things are working fine on their end, though I don't believe it always. But above output is not sufficient to prove if it is network side issue.

Please suggest, what I am missing and should be checked.

Thanks

berndbausch · 09-20-2019, 11:55 PM

I am almost certain you don't get this on the other server:

Code:

NSS error -5961 (PR_CONNECT_RESET_ERROR)

Since my knowledge in the area of certificates and https is at an embarrassing level, I will leave it up to you to use this error message. DuckDuckGo produces some results. Quite likely, your two local servers have different certificate/keyring/key-infrastructure/cryptography setups.

Have you done the same test, verbose curl and openssl, on the functioning server?

james000 · 09-21-2019, 12:05 AM

Yes, on functioning on, it is working fine

Code:

[root@working-portal3 ~]# openssl s_client -connect auth.lb.pre.vuspoint.com:443
CONNECTED(00000003)
depth=0 C = US, ST = Oregon, L = Portland, O = TeleOrg Systems Inc, OU = SST, CN = *.vuspoint.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Oregon, L = Portland, O = TeleOrg Systems Inc, OU = SST, CN = *.vuspoint.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = Oregon, L = Portland, O = TeleOrg Systems Inc, OU = SST, CN = *.vuspoint.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Oregon/L=Portland/O=TeleOrg Systems Inc/OU=SST/CN=*.vuspoint.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG2DCCBcCgAwIBAgIQA0+0o/l1f/jKahsAhrnzWjANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkwMzI2MDAwMDAwWhcN
MjAwODExMTIwMDAwWjCBgjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
b24xEDAOBgNVBAcTB1NlYXR0bGUxJjAkBgNVBAoTHVRlbGVDb21tdW5pY2F0aW9u
IFN5c3RlbXMgSW5jMQwwCgYDVQQLEwNTU1QxFjAUBgNVBAMMDSoueHlwb2ludC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFe8+5WVa4o0Z30+b5
+Ip+hiz7He2GX9FmhKKA98fa8lbIlt29SvKdT/pHj/NVOuT+0XpwFdx8w7GfziEA
T1Oxd5qKh9KS5qUzWrD3yP32z2tb+2rmzwW1qbLtWMndfy//x8mNn8YCJifKdkpJ
68wmDlQ7YdzjcIP6MEFym+gvdK6freY7EnNFXYlHrkl5BsQmfk/1ZYGu6m0zNR2H
gmCoh5JNBPVsHP6bvhtfdtzq8DgiZpfD/t3QudIEgZSIY8U84oe4jYj8pMy4YY2M
32o8ePCCd4TcZi77eTe3A57fLcMxTj5nh/56XszY5owuEiCc4jkVxTXBTIEVk/Gb
a1e1AgMBAAGjggN8MIIDeDAfBgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ
4jAdBgNVHQ4EFgQUjy1YUC3F8gzxRNsXiL09glDhNGUwPgYDVR0RBDcwNYINKi54
eXBvaW50LmNvbYILeHlwb2ludC5jb22CF2F1dGgubGIucHJlLnh5cG9pbnQuY29t
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
awYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Et
c2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2Nh
LXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHwGCCsG
AQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
MEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
cnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEE
AdZ5AgQCBIIBbgSCAWoBaAB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6
qP3LAAABabgEeWwAAAQDAEgwRgIhAML07e42N4AceZzhkPRcP3RRnBKRA0xM2UsR
s6QecKTRAiEAnP0VY6aF6A4yUYpUKXPJwId+Gfypo4zC7097KGDBZy0AdQCHdb/n
WXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWm4BHpVAAAEAwBGMEQCIHhK
662/drf05XsAwvrl74cRvnZ6B8+8a94ozwEet6ykAiB/kf2L8JKcWb9YOKYtB8AO
Abkt5AdV9GAo06AjGchmlwB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaB
cUVYAAABabgEeNEAAAQDAEcwRQIhAOz+7farD12wwzPSC/Gy8kmQ34pjRNhKPPT6
W8cQbLewAiBRe2J6jutEgDB8b8eelanCEpCJqWHjmaUcOb89b2E7LzANBgkqhkiG
9w0BAQsFAAOCAQEAEDvfn3QJQLE2U2gpx+ds+h8gqtVt3XSgv/9jYmgF8suEHrow
LlFl7klcKZ84QBWeITpagThNHmvnHVRkTDjeMAvaBCYaNwxLNJxJwgLvUXF1YSeM
ykGHAKdwEGFjro70ncvbf6UHzoEPTHzYDNcDYr36zGXH064DXt7zuAov+rqT9lvq
s34EFl+kD04lslI7nYwmSnJwtQnBByC6G2/F0fDNXkIBvUJEWkdYEf0Tcetd6ZUZ
TlwY5M0xqtNUUuwwWUp6xn6+mAwhl4wkRfNSn2DOyhdG02bDFo2D+sDFUZfDIW5r
hJUPTsJNKBMy8Mfq8Pbk+AtlY1zrSsmVcverKQ==
-----END CERTIFICATE-----
subject=/C=US/ST=Oregon/L=Portland/O=TeleOrg Systems Inc/OU=SST/CN=*.vuspoint.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 2308 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5D856DA46B3801A0A5B8EEB0FF91F56600722171518F32F3005523739CC14E2E
    Session-ID-ctx:
    Master-Key: 92BBC6179C252561502EBE7A0617BB4BEE7088B77A2D6C2D4D3383BB7CA93E7BCB6C7E3FEF0902B3C7221912DE87CB26
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1569025444
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

From network point of view, working as well as non-working both are reaching to destination as below :

Code:

[root@working-portal3 ~]# ping -c 1 auth.lb.pre.vuspoint.com
PING auth.lb.pre.vuspoint.com (172.30.74.73) 56(84) bytes of data.
64 bytes from 172.30.74.73: icmp_seq=1 ttl=250 time=1.50 ms

--- auth.lb.pre.vuspoint.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.505/1.505/1.505/0.000 ms
[root@working-portal3 ~]# mtr -r -n -c 1 auth.lb.pre.vuspoint.com
Start: Fri Sep 20 20:42:48 2019
HOST: working-portal3               Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 172.30.138.129             0.0%     1    0.1   0.1   0.1   0.1   0.0
  2.|-- 172.30.138.65              0.0%     1    0.5   0.5   0.5   0.5   0.0
  3.|-- 172.30.2.3                 0.0%     1    0.9   0.9   0.9   0.9   0.0
  4.|-- 172.30.0.1                 0.0%     1    1.1   1.1   1.1   1.1   0.0
  5.|-- 172.30.1.100               0.0%     1    1.4   1.4   1.4   1.4   0.0
  6.|-- 172.30.74.73               0.0%     1    1.6   1.6   1.6   1.6   0.0
[root@working-portal3 ~]# nmap -sV -p 443 auth.lb.pre.vuspoint.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-20 20:43 PDT
Nmap scan report for auth.lb.pre.vuspoint.com (172.30.74.73)
Host is up (0.0018s latency).
PORT    STATE SERVICE VERSION
443/tcp open  https?

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.80 seconds
[root@working-portal3 ~]#

=======================
[root@serv-portal3 ~]# ping -c 1 auth.lb.pre.vuspoint.com
PING auth.lb.pre.vuspoint.com (172.30.74.73) 56(84) bytes of data.
64 bytes from 172.30.74.73: icmp_seq=1 ttl=255 time=0.092 ms

--- auth.lb.pre.vuspoint.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.092/0.092/0.092/0.000 ms
[root@serv-portal3 ~]# mtr -r -n -c 1 auth.lb.pre.vuspoint.com
Start: Fri Sep 20 20:42:15 2019
HOST: serv-portal3               Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 172.30.74.73               0.0%     1    0.2   0.2   0.2   0.2   0.0
[root@serv-portal3 ~]# nmap -sV -p 443 auth.lb.pre.vuspoint.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-20 20:42 PDT
Nmap scan report for auth.lb.pre.vuspoint.com (172.30.74.73)
Host is up (0.00012s latency).
PORT    STATE SERVICE VERSION
443/tcp open  https?

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.66 seconds
[root@serv-portal3 ~]#

berndbausch · 09-21-2019, 04:36 AM

A little more searching (openssl s_client 104) provides suggestions like different openssl versions, you should use TLS anyway, you might be behind a firewall.

I would also trace and analyze the network traffic on both connections. There must be a difference.