Hi, I created slave scanners and copied the key files from /var/lib/gvm to the master in /opt/gvm/ and created the scanner pointing to the files now I get
error decrypting credential: No secret key
I cannot verify the scanner neither.
Any idea?
Got it, forgot to set ownership on the gvm account on the keyfile.,
hmm created the scanner again and does not work any more. I dont understand why.
Anyone here that used Master and slave architecture - #11 by tatooin and since december cannot verify scanner?
My master setup is:
sudo -u gvm gvmd --create-scanner=BMCscanner --scanner-type=OpenVas --scanner-port=9390 --scanner-host= --scanner-ca-pub=/opt/gvm/cacert.pem --scanner-key-priv=/opt/gvm/clientkey.pem --scanner-key-pub=/opt/gvm/clientcert.pem
My slave is
[Unit]
Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
Documentation=man:ospd-openvas(8) man:openvas(8)
After=network.target networking.service redis-server@openvas.service mosquitto.service
Wants=redis-server@openvas.service mosquitto.service notus-scanner.service
ConditionKernelCommandLine=!recovery
[Service]
Type=forking
User=gvm
RuntimeDirectory=ospd
RuntimeDirectoryMode=2775
#PIDFile=/run/ospd/openvas-slave.pid -p 9390 -b 0.0.0.0
ExecStart=/usr/local/bin/ospd-openvas --PIDFile=/run/ospd/openvas-slave.pid -p 9390 -b 0.0.0.0 -k /var/lib/gvm/private/CA/serverkey.pem -c /var/lib/gvm/CA/servercert.pem --ca-file /var/lib/gvm/CA/cacert.pem --log-level INFO --lock-file-dir /var/lib/openvas -l /var/log/gvm/ospd-openvas-slave.log
SuccessExitStatus=SIGKILL
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
I have replicated the setup and it works all fine in a new setup. So somehow the master has a corruption in the DB.
I see this in the log with 128 configured
md main:MESSAGE:2024-01-03 10h32.27 utc:8481: Greenbone Vulnerability Manager version 22.4.0~dev1 (DB revision 250)
md manage: INFO:2024-01-03 10h32.27 utc:8481: Verifying scanner.
libgvm util:WARNING:2024-01-03 10h32.28 utc:8481: gvm_server_new_mem: **T certificate and the given key do not match.
libgvm util:WARNING:2024-01-03 10h32.28 utc:8481: Failed to create client TLS session.
I found a solution to fix it. I cannot explain how the error is caused but….
As i create the first slave i copy client certs into /opt/gvm folder
Then i later decided to move the certs into a subfolder and then issues start.
The only way to resolve it is by completely rm -rf the folder and recreate the folder structure
OK, after one day adding the third slave it stopped working again. Anyone?
I upgraded to the latest binaries what give me more info
ibgvm util: INFO:2024-01-05 12h02.35 utc:11011: OpenPGP key ‘GVM Credential Encryption - 2024-01-05T12:02:34Z’ has been generated
md manage:MESSAGE:2024-01-05 12h02.35 utc:11011: manage_create_encryption_key: Credential encryption key created: ‘GVM Credential Encryption - 2024-01-05T12:02:34Z’
md main:MESSAGE:2024-01-05 12h02.53 utc:11042: Greenbone Vulnerability Manager version 23.1.0 (DB revision 255)
md manage: INFO:2024-01-05 12h02.53 utc:11042: Verifying scanner.
libgvm util:WARNING:2024-01-05 12h03.01 utc:11042: gvm_server_new_mem: The certificate and the given key do not match.
libgvm util:WARNING:2024-01-05 12h03.01 utc:11042: Failed to create client TLS session.
I validated the certs and they are correct
openssl x509 -noout -modulus -in /opt/gvm/clientcert.pem | openssl md5
MD5(stdin)= c544e81811599aa33f414596416f26ac
openssl rsa -noout -modulus -in /opt/gvm/clientkey.pem | openssl md5
MD5(stdin)= c544e81811599aa33f414596416f26ac
openssl x509 -noout -modulus -in /opt/gvm/cacert.pem | openssl md5
MD5(stdin)= 7e51b6de913c11e5ec904856988d1a89
So what key is this referencing too?
I found that as soon as I add a second slave the issue start. With debug enabled it shows
md manage: DEBUG:2024-01-05 12h36.46 utc:12334: sql: SELECT value FROM meta WHERE name = ‘encryption_key_uid’;
md manage: DEBUG:2024-01-05 12h36.46 utc:12334: sql_x end (SELECT value FROM meta WHERE name = ‘encryption_key_uid’
libgvm util:WARNING:2024-01-05 12h36.46 utc:12334: error decrypting credential: No secret key
libgvm util: INFO:2024-01-05 12h36.46 utc:12334: encrypted to keyid CFCBDB0667292D3B, algo=1: No secret key