Re: SSL error: sslv3 alert handshake failure

jbond007 · Posted 03-14-2024 07:26 AM

Hi SAS Communities,

Any idea on the error I'm receiving after I apply the hotfix on SASVI (VIYA3.5), i cannot start the services properly.

psql: SSL error: sslv3 alert handshake failure

FATAL: client authentication failed
DETAIL: no pool_hba.conf entry for host "X.X.X.X", user "dbmsowner, database "postgres", SSL off

Before hotfix it is working, it says client authentication failed but I can still login to postgres without any issues.

Thanks for the help.

gwootton · Posted 03-14-2024 12:50 PM

How did you perform your update?

--
Greg Wootton | Principal Systems Technical Support Engineer

jbond007 · Posted 03-14-2024 12:53 PM

using this command
ansible-playbook -i inventory.ini site.yml -vvv
when applying the hotfix it can start ALL the service but when i attempt to do a full restart sudo /etc/init.d/sas-viya-all-services/ stop|start it gives that error messages

gwootton · Posted 03-14-2024 01:13 PM

I suspect the failure is happening when sas-viya-all-services tries to start the postgres or pgpool service.

The scripts make calls to the database using psql which should use TLS, in this case it appears that call is either not using TLS or the TLS call is failing and so it is trying without TLS and that attempt is failing because postgres is configured not to allow connections that are not using TLS.

I would recommend engaging SAS Technical Support so we can dig into the details of what's happening.

I usually update using the update-only.yml playbook, but I'm not sure that is related as site.yml should update as well.

Updating with Ansible
https://go.documentation.sas.com/doc/en/calcdc/3.5/dplyml0phy0lax/n0f5bkzrsoh6bnn1jc3x1n1b5lye.htm#p...

--
Greg Wootton | Principal Systems Technical Support Engineer

jbond007 · Posted 03-14-2024 01:28 PM

Ya, i think its the script during the hotfix it can start everything.
I noticed it changes the ssl_ciphers as well so i think that's the issue here.

Yup I raised ticket on SAS Technical Support just waiting for now

jbond007 · Posted 03-14-2024 01:29 PM

And for the update-only.yml this is the command im using before but I encounter this same issue before and they advised me to use the site.yml

jbond007 · Posted 03-21-2024 12:54 PM

We were able to solve the issue by running the commands
1. Run the following command to edit the value in consul:
/opt/sas/viya/home/bin/sas-bootstrap-config --consul https://localhost:8501 kv write --force config/postgres/sas.dataserver.pool/common/ssl_ciphers \'TLSv1.2:\!aNULL\'

2. to check if the value has been updated:
/opt/sas/viya/home/bin/sas-bootstrap-config kv read --recurse config/postgres/ | grep -i ciphers