CFEngine Failed to establish TLS connection bootstrap error

Created: — modified: — tags: cfengine

Maybe agent's IP is not among allowed ones?

If bootstrapping of CFEngine agent fails with a cryptic error about TLS connection like this:

cf-agent -B 138.68.252.222
notice: Bootstrap mode: implicitly trusting server, use --trust-server=no if server trust is already established
error: Failed to establish TLS connection: socket closed
error: No suitable server found
error: Failed to establish TLS connection: socket closed
error: No suitable server found
error: Failed to establish TLS connection: underlying network error (Connection reset by peer)
error: No suitable server found
error: Method 'failsafe_cfe_internal_update' failed in some repairs
R: Bootstrapping from host '<IP>' via built-in policy '/var/cfengine/inputs/failsafe.cf'
R: This autonomous node assumes the role of voluntary client
error: Bootstrapping failed, no input file at '/var/cfengine/inputs/promises.cf' after bootstrap

check if you've added agent's IP to the ACL in def.cf / def.json.


Update: For the record, here's my favourite def.json:

{
    "classes": {
        "client_initiated_reporting_enabled": [ "any" ],
        "mpf_augments_control_enabled": [ "any" ],
        "services_autorun": ["any"]
    },
    "vars": {
        "default_data_select_host_monitoring_include": [ ".*" ],
        "default_data_select_policy_hub_monitoring_include": [ ".*" ],
        "control_server_call_collect_interval": "1",
        "control_executor_splaytime": "1",
        "control_executor_schedule": ["any"],
        "control_hub_hub_schedule": ["any"],
        "control_hub_exclude_hosts": [ "0.0.0.0/0" ],
        "mpf_access_rules_collect_calls_admit_ips": [ "0.0.0.0/0" ],
        "acl": [ "0.0.0.0/0", "::/0" ]
    }
}

This also enables client-initiated reporting and configures cf-agent to run every minute.

Sources: