Hi,
Using maas snap 2.8.6-8602-g.07cdffcaa.
I was investigating why enlistment of some machines was failing, and realized that the local time on these nodes was 7000 years in the future, and that was making TLS certificate verification fails.
Sadly I don’t have logs anymore, and I’m not sure where a server getting enlisted uses HTTPS, but perhaps MAAS should sync time from NTP as early as possible during enlistment ?
@axino, not sure what you’re suggesting. enlistment isn’t supposed to change the machines being enlisted; we could (and maybe already do) an NTP sync up on the MAAS side, but that isn’t going to solve this problem. are you suggesting that MAAS should check the time on these machines and refuse to enlist them, in this case?
If enlistment isn’t supposed to change anything at all on the machines, I’m suggesting we surface that they are years in the future (or in the past) to MAAS operators, also informing them that it means that TLS certification verification will always fail, and so TLS (meaning, among other things, https) will not be usable.
I’m also suggesting to add the option “Set the time using NTP during enlistment”, and I’d suggest that the default value should be “true” - I don’t know any use case where an operator would want to keep a out of date machine which prevents enlistment, which prevents MAAS from working at all.
It’s also very tedious to fix manually, since enlistment doesn’t install MAAS credentials on the BMC, one has to go to the BIOS and set the time there, manually, for each machine.
Thanks !