tang
tang copied to clipboard
latchset
Tang server does not deliver keys
I have installed tang on ubuntu 22.04 LTS. I changed the port to 7500:
systemctl show tangd.socket -p Listen Listen=[::]:7500 (Stream)
tangd.socket - Tang Server socket Loaded: loaded (/lib/systemd/system/tangd.socket; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/tangd.socket.d └─port.conf Active: active (listening) since Sat 2022-11-12 21:12:47 CET; 44min ago Triggers: ● [email protected]:7500-127.0.0.1:58504.service ● [email protected]:7500-127.0.0.1:59830.service Listen: [::]:7500 (Stream) Accepted: 14; Connected: 0; Tasks: 0 (limit: 35918) Memory: 4.0K CPU: 9ms CGroup: /system.slice/tangd.socket
If I try the follwing: tang-show-keys 7500
The result is this: curl: (56) Recv failure: Connection reset by peer
I deactivated the firewall for test purposes but that makes not difference. And it should not be if this is a request on the same host.
Can you please execute next command and paste output?:
curl http://localhost:7500/adv
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (56) Recv failure: Connection reset by peer
It's the same on two different servers running with ubuntu 22.04
Sorry, I can not figure out what the problem is.
Which clevis version are you using? How did you change port number where clevis is reading? Did you try with other port?
I will try to reproduce this and if I come to a conclusion, I will let you know
I changed the port via /etc/systemd/system/tangd.socket.d/override.conf
[Socket] ListenStream= ListenStream=7500
I have tried different ports now. After that the error message is different. Now the message is as following; url: (7) Failed to connect to vpsmail.de port 7500 after 5 ms: Connection refused url: (7) Failed to connect to vpsmail.de port 7300 after 5 ms: Connection refused url: (7) Failed to connect to vpsmail.de port 7200 after 5 ms: Connection refused I checked with systemctl show tangd.socket -p Listen if tang is listening to the port and this show 7500, 7300 and 7200
How can I see the clevis version? With apt-show-versions clevis I'm getting 18-1ubuntu1
Please, post the output of systemctl status tangd.socket
Also, please check the permissions in /var/lib/tang: ls -ld /var/lib/tang/
systemctl status tangd.socket ● tangd.socket - Tang Server socket Loaded: loaded (/lib/systemd/system/tangd.socket; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/tangd.socket.d └─override.conf Active: active (listening) since Sun 2022-11-13 09:46:12 CET; 3 days ago Listen: [::]:7500 (Stream) Accepted: 10; Connected: 0; Tasks: 0 (limit: 4625) Memory: 0B CPU: 12ms CGroup: /system.slice/tangd.socket
Notice: journal has been rotated since unit was started, output may be incomplete.
ls -ld /var/lib/tang/ drwxr-xr-x 1 _tang _tang 0 Nov 13 09:31 /var/lib/tang/
The accepted connections did count up as I had the old error curl: (56) Recv failure: Connection reset by peer. Since I changed the port and switched back it does not count up anymore.
Can you execute "curl" with verbose option, to try to see if there is more info there?
curl --verbose http://localhost:7500/adv
Also, check your /etc/hosts, as it is weird that it is trying to resolve localhost to a named host:
Failed to connect to vpsmail.de port 7500
curl --verbose http://localhost:7500/adv
- Trying 127.0.0.1:7500... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to localhost (127.0.0.1) port 7500 (#0)
GET /adv HTTP/1.1 Host: localhost:7500 User-Agent: curl/7.81.0 Accept: /
-
Recv failure: Connection reset by peer
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
-
Closing connection 0 curl: (56) Recv failure: Connection reset by peer
Sorry, I can not figure out what the issue could be .... ¿do you have firewalld running?
Hello, firewalld is running but the effect is the same on localhost (where firewalld has no effect) or when the port is open in firewalld for runtime and permanent configuration. I would assume that a closed port in firewall would not be a connection reset instead there would be no connection at all because the port would not be accessible at al. Currently I'm running Ubuntu 22.04.2.
Seems to be a configuration setting. I have two servers running on Ubuntu 22.04.3 which are upgraded (not sure what the install version was 18 or maybe even earlier). And I have another one also 22.04.3 which I have installed later (maybe with 20.04). On this one this message is not showing up and I'm getting the key insteat of the curl error. This seems to be a config setting not directly tang related which I have not found so far.
Output is identical apart the result: Working Tang Server A - Ubuntu 22.04.3:
curl -v http://localhost:7500/adv
- Trying 127.0.0.1:7500...
- Connected to localhost (127.0.0.1) port 7500 (#0)
GET /adv HTTP/1.1 Host: localhost:7500 User-Agent: curl/7.81.0 Accept: /
- Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Content-Type: application/jose+json < Content-Length: 993
Not working Tang Server B - Ubuntu 22.04.3:
curl -v http://localhost:7500/adv
- Trying 127.0.0.1:7500... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
- Connected to localhost (127.0.0.1) port 7500 (#0)
GET /adv HTTP/1.1 Host: localhost:7500 User-Agent: curl/7.81.0 Accept: /
- Recv failure: Connection reset by peer