Description
The 'ee key too small' error may occur during the following scenarios in a cluster setup:
- Upgrading Linux OS versions — For example, upgrading one node to Ubuntu 20.04 LTS while another remains on Ubuntu 18.04 LTS. Both nodes are running Access Server 2.11.3.
- Joining mismatched nodes — Adding a node running a different Access Server version or Linux OS version than the current nodes in the cluster.
This article has the following scenario: A cluster with two nodes running Ubuntu 18.04 LTS, with Access Server 2.11.3.
Error message example:
"api": "off. Error: [Error: [('SSL routines', 'SSL_CTX_use_certificate', 'ee key too small')
This error indicates that your SSL-API certificates used by the cluster are using 1024-bit keys, which are incompatible with the newer Access Server versions or Linux distributions.
Resolution
Run the following commands to check the public key size of your certificates:
openssl x509 -in /usr/local/openvpn_as/etc/ssl-api/ca.crt -text -noout | grep 'Public-Key'
openssl x509 -in /usr/local/openvpn_as/etc/ssl-api/server.crt -text -noout | grep 'Public-Key'
openssl x509 -in /usr/local/openvpn_as/etc/ssl-api/client.crt -text -noout | grep 'Public-Key'
Example output (1024-bit keys):
root@openvpn-access-server-Brandon2XX:~# openssl x509 -in /usr/local/openvpn_as/etc/ssl-api/server.crt -text -noout | grep 'Public-Key'
Public-Key: (1024 bit)
root@openvpn-access-server-Brandon2XX:~# openssl x509 -in /usr/local/openvpn_as/etc/ssl-api/server.crt -text -noout | grep 'Public-Key'
Public-Key: (1024 bit)
root@openvpn-access-server-Brandon2XX:~# openssl x509 -in /usr/local/openvpn_as/etc/ssl-api/client.crt -text -noout | grep 'Public-Key'
Public-Key: (1024 bit)
Note: In this example:
- Our cluster has two nodes.
- Both nodes are running Access Server v2.11.3.
- Both nodes are running Ubuntu 18 LTS.
- The idea is to upgrade to the latest Access Server on the modern (supported) version of Ubuntu Linux.
Please follow the below instructions to mitigate this issue:
On the first node in the cluster:
1. Take a backup of your current MySQL Server DB files:
+--------------------+
| Database |
+--------------------+
| as_certs |
| as_cluster |
| as_config |
| as_notification |
| as_userprop |
+--------------------+
You can use the mysqldump tool on your MySQL Server for your backup.
2. Generate 2048-bit long certificates for CA, SSL-API server and client:
mkdir /root/new_cluster_certs
cd /usr/local/openvpn_as/scripts/
./certool --dir /root/new_cluster_certs/ --cn "Access Server API CA" --type ca
./certool --dir /root/new_cluster_certs/ --type server --serial 1 --cn "`hostname`" -n server
./certool --dir /root/new_cluster_certs/ --type client --serial 2 --cn "api-client" -n client
3. Check public key size for newly generated certificates:
openssl x509 -in /root/new_cluster_certs/ca.crt -text -noout | grep 'Public-Key'
openssl x509 -in /root/new_cluster_certs/server.crt -text -noout | grep 'Public-Key'
openssl x509 -in /root/new_cluster_certs/client.crt -text -noout | grep 'Public-Key'
You should see something like:
root@Server-Side-Host:/usr/local/openvpn_as/scripts# openssl x509 -in /root/new_cluster_certs/ca.crt -text -noout | grep 'Public-Key'
RSA Public-Key: (2048 bit)
root@Server-Side-Host:/usr/local/openvpn_as/scripts# openssl x509 -in /root/new_cluster_certs/server.crt -text -noout | grep 'Public-Key'
RSA Public-Key: (2048 bit)
root@Server-Side-Host:/usr/local/openvpn_as/scripts# openssl x509 -in /root/new_cluster_certs/client.crt -text -noout | grep 'Public-Key'
RSA Public-Key: (2048 bit)
root@Server-Side-Host:/usr/local/openvpn_as/scripts#
4. Upload newly generated files to Cluster DB:
./confdba --cluster --prof='_INTERNAL' -mk ca.crt --value_file=/root/new_cluster_certs/ca.crt
./confdba --cluster --prof='_INTERNAL' -mk ca.key --value_file=/root/new_cluster_certs/ca.key
./confdba --cluster --prof='_INTERNAL' -mk client.crt --value_file=/root/new_cluster_certs/client.crt
./confdba --cluster --prof='_INTERNAL' -mk client.csr --value_file=/root/new_cluster_certs/client.csr
./confdba --cluster --prof='_INTERNAL' -mk client.key --value_file=/root/new_cluster_certs/client.key
./confdba --cluster --prof='_INTERNAL' -mk server.crt --value_file=/root/new_cluster_certs/server.crt
./confdba --cluster --prof='_INTERNAL' -mk server.csr --value_file=/root/new_cluster_certs/server.csr
./confdba --cluster --prof='_INTERNAL' -mk server.key --value_file=/root/new_cluster_certs/server.key
5. Remove files from /root/ folder:
rm -f /root/new_cluster_certs/*
Now, the cluster DB contains new 2048-bit long certificates, but all nodes still use 1024-bit ones stored on the disk in folder /usr/local/openvpn_as/etc/ssl-api .
To replace these files, we should remove a node from the cluster and join it again. In the last step, new 2048-bit certificates will be downloaded from cluster DB and stored inside /usr/local/openvpn_as/etc/ssl-api folder with proper permissions.
On each node in the cluster:
1. Run these commands to remove the node from the cluster and join it again:
cd /usr/local/openvpn_as/scripts/
export CLUSTERJOINURL=$(./sacli ClusterJoinURL)
echo $CLUSTERJOINURL
./sacli ClusterLeave
sleep 10
./sacli --mysql_str=$CLUSTERJOINURL ClusterJoin
sleep 10
service openvpnas restart
unset CLUSTERJOINURL
Do the same above steps for the rest of the nodes in the cluster
Finally, your Access Server cluster uses 2048-bit long certificates for internode communication. It meets security standards for modern Linux distributions, and you can join new nodes based on Ubuntu 20.04 LTS or newer to replace nodes based on Ubuntu 18.04.
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.