Rejecting Inventory for Node 'xxx-yyy-zzz' because signature is not valid

If you see an error message like the following one in Rudder log (/var/log/rudder/webapp/date.stderrout.log)


[2016-01-01
 08:55:17] ERROR 
com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - 
Rejecting Inventory 'xxx-yyy-zzz.ocs' for Node 'xxx-yyy-zzz' because signature
is not valid, you can update the inventory key by running the following command 
'/opt/rudder/bin/rudder-keys change-key xxx-yyy-zzz <your new public key>'

it means there is a mismatch between the signature of the inventory generated by the node and the validation of that signature performed on the Rudder server.

The signing is done to prevent anyone to send an inventory to Rudder and change potentially critical information about that node, or use that vector to obtain critical information.


The mismatch can be due to the following causes:


  • You updated the node agent key. In that case, you need to update the corresponding key store on the Rudder server which is used to do the verification with the command displayed in the error message.
  • There was a problem with the signature process on the node. Particularly, when there is a problem with "openssl" command, the signature may be empty. Check the content of signature file for that inventory in /var/rudder/inventories/failed/xxx-yyy-zzz.ocs.sig-DATE
  • The node sending the inventory is not the same as the one registered in Rudder. This can show a security problem, but it may also be due to two nodes having the same nodeID for some reason (a VM cloned followed with an update of the agent key of one the cloned node, but no change of the nodeID)


Inventory

This article was helpful for 1 person. Is this article helpful for you?