.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA NetWitness Logs and Network 11.3 Chef run fails with nw_pki_openssl_hashed_cert error in chef-solo.log
Issue
While doing an operation that requires Chef to run, such as an install, upgrade, or using the new certificate reissue command, the process can stop with this kind of error. Depending on the action and the device being acted on, this may result in a device appearing offline or unable to be talked to until resolved. This error can be found on the /var/log/netwitness/config-management/chef-solo.log file.
[2019-05-08T23:28:10-03:00] ERROR: Running exception handlers
[2019-05-08T23:28:10-03:00] ERROR: Exception handlers complete
[2019-05-08T23:28:10-03:00] FATAL: Stacktrace dumped to /var/lib/netwitness/config-management/cache/chef-stacktrace.out
[2019-05-08T23:28:10-03:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2019-05-08T23:28:10-03:00] ERROR: nw_pki_openssl_hashed_cert[nw-appliance /etc/netwitness/ng/appliance/trustpeers -> ["sa-server"]] (nw-appliance::trusts line 19) had an error:
Mixlib::ShellOut::ShellCommandFailed: execute[launch-peer-cert:sa-server] (/var/lib/netwitness/config-management/cache/cookbooks/nw-pki/resources/openssl_hashed_cert.rb line 65) had an error:
Mixlib::ShellOut::ShellCommandFailed: Command execution failed. STDOUT/STDERR suppressed for sensitive resource
[2019-05-08T23:28:10-03:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
If you review the stack trace, you may see something similar to the following.
[2019-05-08T23:28:10-03:00] ERROR: Exception handlers complete
[2019-05-08T23:28:10-03:00] FATAL: Stacktrace dumped to /var/lib/netwitness/config-management/cache/chef-stacktrace.out
[2019-05-08T23:28:10-03:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2019-05-08T23:28:10-03:00] ERROR: nw_pki_openssl_hashed_cert[nw-appliance /etc/netwitness/ng/appliance/trustpeers -> ["sa-server"]] (nw-appliance::trusts line 19) had an error:
Mixlib::ShellOut::ShellCommandFailed: execute[launch-peer-cert:sa-server] (/var/lib/netwitness/config-management/cache/cookbooks/nw-pki/resources/openssl_hashed_cert.rb line 65) had an error:
Mixlib::ShellOut::ShellCommandFailed: Command execution failed. STDOUT/STDERR suppressed for sensitive resource
[2019-05-08T23:28:10-03:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
---- Begin output of security-cli-client --get-certificates-for-service --service sa-server --output-dir /etc/pki/nw/peer/sa-server -u deploy_admin -k #%Funky!Password -b cfdb9351-01d6-4d5c-9cfe-da36ccadb98c ----
STDOUT:
STDERR: security-cli-client: option requires an argument -- 'k'
Terminating...
---- End output of security-cli-client --get-certificates-for-service --service sa-server --output-dir /etc/pki/nw/peer/sa-server -u deploy_admin -k #%Funky!Password -b cfdb9351-01d6-4d5c-9cfe-da36ccadb98c ----
Ran security-cli-client --get-certificates-for-service --service sa-server --output-dir /etc/pki/nw/peer/sa-server -u deploy_admin -k #%FZ!JF81w -b cfdb9351-01d6-4d5c-9cfe-da36ccadb98c returned 1
STDOUT:
STDERR: security-cli-client: option requires an argument -- 'k'
Terminating...
---- End output of security-cli-client --get-certificates-for-service --service sa-server --output-dir /etc/pki/nw/peer/sa-server -u deploy_admin -k #%Funky!Password -b cfdb9351-01d6-4d5c-9cfe-da36ccadb98c ----
Ran security-cli-client --get-certificates-for-service --service sa-server --output-dir /etc/pki/nw/peer/sa-server -u deploy_admin -k #%FZ!JF81w -b cfdb9351-01d6-4d5c-9cfe-da36ccadb98c returned 1
Cause
This can occur if you are using a deployment password that contains special characters that are being wrongly interpreted in the bash shell. This should be addressed at some point in a future release yet to be determined at the time of this writing.
Resolution
Please change the deployment password and restart the upgrade through CLI if the UI is unavailable. Please see this KB article for directions how:https://community.rsa.com/docs/DOC-105200
Internal Comments
This issue was discovered in SACE-11406 and fix is being tracked in ASOC-77296.
Product Details
- Column 1: RSA Product Set: NetWitness Logs and Network
RSA Product/Service Type: Orchestration/Chef
RSA Version/Condition: 11.3.0.X
Platform: CentOS
O/S Version: 7
Summary
While doing an operation that requires chef to run, such as a install, upgrade, or using the new certificate reissue command, the process can stop with this kind of error.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue