Page tree
Skip to end of metadata
Go to start of metadata
On this page

Symptoms

Certificate/key pairs cannot be imported in the server any more, and the certificate check output looks like this:

== Setup =======================================================================
 ==== setting up work directory... ok
 ==== setting up environment... ok
 ==== starting server.../tmp/certificates_check_o2g5S6 /data/bin
 /data/bin
 ok
 ==== waiting for server to be up.... ok
 == Test 1: connection and certificate validation ===============================
 getaddrinfo: Name or service not known
 Using default temp DH parameters
 ACCEPT
 0 items in the session cache
 0 client connects (SSL_connect())
 0 client renegotiates (SSL_connect())
 0 client connects that finished
 0 server accepts (SSL_accept())
 0 server renegotiates (SSL_accept())
 0 server accepts that finished
 0 session cache hits
 0 session cache misses
 0 session cache timeouts
 0 callback cache hits
 0 cache full overflows (128 allowed)
 socket: Connection refused
 connect:errno=22
 openssl s_client exited with code 1
 ==== Test 1 FAILED
 == Test 2: data transfer =======================================================
 curl: (7) couldn't connect to host
 curl exited with code 7
 cmp: EOF on /tmp/certificates_check_o2g5S6/test_1.out
 ==== Test 2 FAILED
 == Cleanup =====================================================================
 ==== stopping server... ok
 data transfer error
 ==== stopping background jobs... ok
 ==== removing work directory... ok

Cause

An OpenSSL function used to check for certificate validity erroneously requires IPv6 to be enabled on the loopback interface. Check whether IPv6 is enabled by running the ip addr ls command; if IPv6 is enabled, the output will look like this:

1: lo:  mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
...

On the other hand, if IPv6 is disabled, the output of ip addr ls will look like this:

1: lo:  mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
...

In this case, certificate validation will always fail, and you will need to apply the workaround.

Workaround

Re-enable IPv6 on the server and reboot it.

Resolution

None yet.

  • No labels