Over the last few days, I suddenly started to receive SMT registration errors by e-mail. SMT is a SuSE/Novell service to register SuSE Linux clients and to create local patch mirrors.
After some investigation, the following logfile showed the exact same errors as sent by e-mail:
# tailf /var/log/smt/smt-register.log 2012-03-06 07:35:48 SMT::NCCRegTools - [info] Register 1 new clients. 2012-03-06 07:35:49 SMT::NCCRegTools - [error] Invalid response:500 Access to 'http' URIs has been disabled 2012-03-06 07:50:47 SMT::NCCRegTools - [info] Register 1 new clients. 2012-03-06 07:50:48 SMT::NCCRegTools - [error] Invalid response:500 Access to 'http' URIs has been disabled
As one can see, the errors repeat every 15min. So there must be a cronjob launching this thing. The cronjob was found within the /etc/cron.d folder:
# cat /etc/cron.d/novell.com-smt */15 * * * * root /usr/lib/SMT/bin/smt-repeated-register 0 1 * * * root /usr/lib/SMT/bin/smt-daily 0 2 * * * root /usr/lib/SMT/bin/smt-run-jobqueue-cleanup 0 5 * * 1 root /usr/lib/SMT/bin/smt-gen-report
So it is the script /usr/lib/SMT/bin/smt-repeated-register which causes troubles... This script basically checks if a proxy connection should be used and then launches the following command:
/usr/sbin/smt-register -r -L /var/log/smt/smt-register.log --mail
Once executed manually, nothing happened, it seemed to be blocked somewhere. Fortunately there is a debug mode to see what's going on:
# smt-register --debug Register 1 new clients. Register 'xxx' SEND TO: https://secure-www.novell.com/center/regsvc?command=bulkop&lang=en-US&version=1.0 XML: <?xml version="1.0" encoding="UTF-8"?> <bulkop xmlns="http://www.novell.com/xml/center/regsvc-1_0" lang="en" client_version="1.2.3"><register force="batch"><guid>xxx</guid><host /><authuser>xxx</authuser><authpass>xxx</authpass><smtguid>xxx</smtguid><product version="11.1" release="DVD" arch="x86_64">SUSE_SLES</product><param id="ostarget">sle-11-x86_64</param><param id="ostarget-bak"><![CDATA["SUSE Linux Enterprise Server 11 (x86_64)"]]></param><param id="platform">x86_64</param><param id="processor">x86_64</param><param id="secret">xxx</param><param id="timezone">Europe/Zurich</param><param id="email">xxx@example.com</param></register></bulkop> Result: 302 Moved Temporarily Redirected to http://secure-www.novell.com/center/regsvc/?command=bulkop&lang=en-US&version=1.0 SEND TO: http://secure-www.novell.com/center/regsvc/?command=bulkop&lang=en-US&version=1.0 XML: <?xml version="1.0" encoding="UTF-8"?> <bulkop xmlns="http://www.novell.com/xml/center/regsvc-1_0" lang="en" client_version="1.2.3"><register force="batch"><guid>xxx</guid><host /><authuser>xxx</authuser><authpass>xxx</authpass><smtguid>xxx</smtguid><product version="11.1" release="DVD" arch="x86_64">SUSE_SLES</product><param id="ostarget">sle-11-x86_64</param><param id="ostarget-bak"><![CDATA["SUSE Linux Enterprise Server 11 (x86_64)"]]></param><param id="platform">x86_64</param><param id="processor">x86_64</param><param id="secret">xxx</param><param id="timezone">Europe/Zurich</param><param id="email">xxx@example.com</param></register></bulkop> Result: 500 Access to 'http' URIs has been disabled Invalid response:500 Access to 'http' URIs has been disabled
So the problem is that the accessed URL (https://secure-www.novell.com/center/regsvc) is forwarding the request to a non-https URL (http://www.novell.com/xml/center/regsvc-1_0). This causes a problem because the smt-register (perl-)script requires the https protocol (take a look at line 82):
81: my $useragent = SMT::Utils::createUserAgent(keep_alive => 1); 82: $useragent->protocols_allowed( [ 'https' ] ); 83: $useragent->default_headers->push_header('Content-Type' => 'text/xml');
I experimented by adding the protocol http into the protocols_allowed array but this only caused another error:
2012-03-06 09:05:47 SMT::NCCRegTools - [info] Register 1 new clients. 2012-03-06 09:05:49 SMT::NCCRegTools - [error] Invalid response:409 Conflict
So this isn't the solution.
Then I wondered how the smt-register script knew that it should send the requests to https://secure-www.novell.com - this was nowhere marked in /etc/smt.conf. A short grep later I found this satisfying information:
# grep "secure-www.novell.com" /etc/* /etc/smt.conf.rpmnew:NURegUrl=https://secure-www.novell.com/center/regsvc/ /etc/suseRegister.conf:url = https://secure-www.novell.com/center/regsvc /etc/suseRegister.conf-2009-11-11:url = https://secure-www.novell.com/center/regsvc/
So in the file /etc/smt.conf.rpmnew there was a variable NURegUrl, but in the main config file /etc/smt.conf there was none. Strange... There may be several reasons for that. Maybe only since a couple of days this parameter-URL is required, or some other admin accidently removed the line from the config file... who knows.
Anyway, by adding the line into the [NU] section of /etc/smt.conf everything worked fine again:
# cat /etc/smt.conf [NU] NUUrl = https://nu.novell.com/ NUUser = xxx NUPass = xxx NURegUrl=https://secure-www.novell.com/center/regsvc/
# smt-register --debug Register 1 new clients. Register 'xxx' SEND TO: https://secure-www.novell.com/center/regsvc/?command=bulkop&lang=en-US&version=1.0 ... Result: 200 OK Registration success: 'xxx'.
|