Not connecting Landscape client

Asked by raul on 2012-02-23

Good morning,

I am trying to activate the LandScape client on my network that is behing a proxy server. I can connect to landscape.canonical.com through 80 and 443 ports, but not activating the client

When I try to activate it I get:

*****@**2SUB01:/etc/landscape$ sudo landscape-config
[sudo] password for *****:

This script will interactively set up the Landscape client. It will
ask you a few questions about this computer and your Landscape
account, and will submit that information to the Landscape server.
After this computer is registered it will need to be approved by an
account administrator on the pending computers page.

Please see https://landscape.canonical.com for more information.

The computer title you provide will be used to represent this
computer in the Landscape user interface. It's important to use
a title that will allow the system to be easily recognized when
it appears on the pending computers page.

This computer's title [**2SUB01]:

You must now specify the name of the Landscape account you
want to register this computer with. You can verify the
names of the accounts you manage on your dashboard at
https://landscape.canonical.com/dashboard

Account name [******]:

A registration password may be associated with your Landscape
account to prevent unauthorized registration attempts. This
is not your personal login password. It is optional, and unless
explicitly set on the server, it may be skipped here.

If you don't remember the registration password you can find it
at https://landscape.canonical.com/account/*****

Account registration password:
Please confirm:

Passwords must match.

Account registration password:
Please confirm:

The Landscape client communicates with the server over HTTP and
HTTPS. If your network requires you to use a proxy to access HTTP
and/or HTTPS web sites, please provide the address of these
proxies now. If you don't use a proxy, leave these fields empty.

HTTP proxy URL [http://**.**.**.*:****/]:
HTTPS proxy URL [http://**.**.**.*:****/]:

Landscape has a feature which enables administrators to run
arbitrary scripts on machines under their control. By default this
feature is disabled in the client, disallowing any arbitrary script
execution. If enabled, the set of users that scripts may run as is
also configurable.

Enable script execution? [Y/n]

By default, scripts are restricted to the 'landscape' and
'nobody' users. Please enter a comma-delimited list of users
that scripts will be restricted to. To allow scripts to be run
by any user, enter "ALL".

Script users [ALL]:

You may provide tags for this computer e.g. server,hardy.

Tags [Server]:
 * Stopping landscape-client daemon [ OK ]
 * Starting the landscape-client daemon [ OK ]

Request a new registration for this computer now? (Y/n): Y
Please wait... We were unable to contact the server. Your internet connection may be down. The landscape client will continue to try and contact the server periodically.

My client.conf:

*****@**2SUB01:/etc/landscape$ sudo cat /etc/landscape/client.conf
[client]
url = https://landscape.canonical.com/message-system
ping_url = http://landscape.canonical.com/ping
data_path = /var/lib/landscape/client
http_proxy = http://********/
tags = Server
computer_title = **2SUB01
account_name = ****
registration_password = *******
include_manager_plugins = ScriptExecution
script_users = ALL
https_proxy = http://******/

I can access through https and http to canonical from the terminal,

Thanks a lot,

regards,

Question information

Language:
English Edit question
Status:
Solved
For:
Landscape Client Edit question
Assignee:
No assignee Edit question
Solved by:
Andreas Hasenack
Solved:
2012-02-23
Last query:
2012-02-23
Last reply:
2012-02-23
Andreas Hasenack (ahasenack) said : #1

The broker.log file in /var/log/landscape will have details of what happened.

raul (raullires-q) said : #2

Thank you Andreas,

I get this error (not contacting to the server)

2012-02-23 12:23:29,928 ERROR [Dummy-1 ] Error contacting the server at https://landscape.canonical.com/message-system.
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/landscape/broker/transport.py", line 70, in exchange
    curly, data = self._curl(spayload, computer_id, message_api)
  File "/usr/lib/python2.7/dist-packages/landscape/broker/transport.py", line 46, in _curl
    headers=headers, cainfo=self._pubkey, curl=curl))
  File "/usr/lib/python2.7/dist-packages/landscape/lib/fetch.py", line 92, in fetch
    raise PyCurlError(e.args[0], e.args[1])
PyCurlError: Error 35: gnutls_handshake() failed: Key usage violation in certificate has been detected.
2012-02-23 12:23:29,929 INFO [MainThread] Message exchange failed.
2012-02-23 12:23:29,930 INFO [MainThread] Message exchange completed in 0.29s.

but If in the same terminal I execute

 elinks https://landscape.canonical.com/message-system

I get response,

thank you again

Andreas Hasenack (ahasenack) said : #3

Can you try without https_proxy? Usually https isn't proxied.

raul (raullires-q) said : #4

No sorry, we are behind a firewall proxy that we cannot access without it, sorry,

I think that the problem is that our proxy provider sent us a Certificate that I don't know how to install on ubuntu named root.crt. Any idea?

Because I have been reading this https://help.ubuntu.com/8.04/serverguide/C/certificates-and-security.html

Thanks a lot,

raul (raullires-q) said : #5

The link speaking about the error of the certificate https://landscape.canonical.com/account/sicpa/kb/article/2195

I get

sicpa@ES2SUB01:/etc/landscape$ wget https://landscape.canonical.com

--2012-02-23 13:00:49-- https://landscape.canonical.com/

Connecting to 10.4.64.3:3128... connected.

ERROR: cannot verify landscape.canonical.com's certificate, issued by `/C=ES/L=Madrid Goya/O=Sicpa/OU=Information Services/CN=Open Systems AG Proxy CA':

  Self-signed certificate encountered.

To connect to landscape.canonical.com insecurely, use `--no-check-certificate'.

Best Andreas Hasenack (ahasenack) said : #6

Your proxy seems to be trying to actually proxy HTTPS, and that won't work. It's even called an attack (search for MITM). You need to let HTTPS through using the CONNECT method (if we are talking about a squid proxy).

The error is correct and is keeping you and your machines safe.

raul (raullires-q) said : #7

Thanks Andreas Hasenack, that solved my question.