SELinux on DNSonly losing connection

[Ray Hayes]

About 2 days ago our DNSonly server (NS2) was hit with the SELinux bug (if no SELinux was enabled or a config file did not exist, an update would add it...and it was enabled).

The DNS went completely down until SELinux was disabled.

I am now able to access the dns server in the cluster...BUT, at random times now it drops...

Could not connect to https://xxx.xxx.xx.xx:2087/scripts2/getzones_local: Could not read from SSL socket: 'SSL read error'
at /usr/local/cpanel/3rdparty/perl/526/lib64/perl5/5.26.0/HTTP/Tiny.pm line 1191

If I log into NS1 and re-enable it, it works again for a while. (NOTE: the xxx is IP and not name...example https://111.222.33.44:2087 and not the hostname, which would be ns2.dnsonly.com...as an example, which seems odd...)

All IP's have been added to CPHulk and whitelisted. All firewall rules (APF) allow access to the IP...just now, randomly, it breaks.

Thoughts

 

[Ray Hayes]

I feel this may be a hijack, but I am gaining zero traction on this issue.

I was hit with the SELinux bug. It has since been repaired. But, now this has created a new issue. This was a DNSOnly server that was hit (NS2). It is part of a cluster. Since this bug, the first node (NS1) keeps disconnecting from the DNSonly node.

Could not connect to https://xxx.xxx.xx.xx:2087/scripts2/getzones_local: Could not read from SSL socket: 'SSL read error'
at /usr/local/cpanel/3rdparty/perl/526/lib64/perl5/5.26.0/HTTP/Tiny.pm line 1191

This of course, disables the dnsonly server. I can go back in, reconnect, and it is fine...for a while. (Side note: The third server in the cluster, NS3, has NOT disconnected. It is ONLY on the main server (ns1).)

Nothing has changed on either device, except for the loss of service on ns2 (dnsonly) due to the SELinux bug.

This is taking a lot of my time to review, and the fact that the only issue was this stupid bug...I am at a loss. (NOTE: IP's have been whitelisted, etc since the inception of this setup almost 2 years ago.)

Hopefully I can get some input on this.

 

[cPanelLauren]

Hi @Ray Hayes

I'm unsure what would cause this behavior but it might be best if we were able to investigate on the box itself.
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[Ray Hayes]

cPanel dnsonly ID# 11268763 - Underway. Hope to hear what weirdness this may be.

 

[cPanelLauren]

Hi @Ray Hayes


Thanks for that I'm watching that ticket and I can see we've already begun troubleshooting. I'll update here with the resolution as soon as it's available.


Thanks!

 

[Ray Hayes]

At this point, there is no solution. Something blocks the master unit of the cluster from writing to the DNSOnly machine. I even bailed and went ahead and completely reinstalled from scratch. EXACT same error after all was said and done.

The only concern I have is the constant SSL errors. As I reviewed the SSL's on the DNSOnly unit, I do not see the one I installed. Only self-signed. I then saw this...

cPanel DNSonly SSL No Records Found error

I quote "Note this issue only affects the visibility of the certificate in "WHM >> Manage Service SSL Certificates", as the certificate itself is installed successfully". Is it? If so, why am I seeing so many "Could not connect to https://serverip - Could not read from SSL socket: 'SSL read error'"

This has caused a lot of frustration. I had hoped to get closure...but, right now, I am stuck trying to be all Columbo.

I will update if I find anything.

 

[Ray Hayes]

Fighting a losing battle...but, I have verified one thing. It has boiled down to one specific server. I currently have all of the other nodes reconnected to the DNSOnly node. Any changes in Zone Editor are written immediately to that DNS.

But, on the main node with problems...the following error keeps popping up in DNSAdmin logs.

substr outside of string at /usr/local/cpanel/Cpanel/Gzip/ungzip.pm line 74.
Use of uninitialized value in unpack at /usr/local/cpanel/Cpanel/Gzip/ungzip.pm line 74.
Use of uninitialized value in numeric eq (==) at /usr/local/cpanel/Cpanel/Gzip/ungzip.pm line 74.

Is this dnsadmin? But, I know support updated dnsadmin to the latest.

What could that be?

 

[Ray Hayes]

Issue solved!

Decided to use an alternate vps/droplet provider than Vultr (where the original broken NS node existed.)...Digital Ocean. The new ns server is humming along, and with zero issues. And considerably faster.

So...moral? Be wary if using certain hosting providers and Vultr...who knows...they may be blocking Vultr....and yet, we will really never know what happened.

 

[cPanelLauren]

Hi @Ray Hayes

Interesting, vultr uses their own templates when provisioning their VPS's it may have been some misconfiguration within the template. I'm really glad to hear you got it all resolved!

Thanks!