OP5 Monitor - How to fix "License signature is invalid".

Problem description

After following the guide to add the OP5 Monitor license file, the message "UNKNOWN: License signature is invalid: /etc/op5license/op5license.lic" is being shown and the GUI becomes inaccessible. A stack trace file was also generated.

Note that monitoring and notifications will not stop due to this.

Solution

Some operating systems may have different security protocols enabled on an OS-level. You may see the "UNKNOWN: License signature is invalid: /etc/op5license/op5license.lic" error due to a SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED error. To verify if that is the case, run the command below in the CLI:

# export OP5_LICENSE_DEBUG=1

Then run a sample license check command:

# /opt/plugins/check_op5_license -T d -w 30 -c 15
[INFO] (op5/license_reader.c:188) Opening license file: /etc/op5license/op5license.lic
[ERROR] (op5/license_reader.c:374: errno: None) Failed to verify signer info for signer 0, status = "BadSignature" (SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED)
[ERROR] (op5/license_reader.c:490: errno: None) Failed to load license content (License signature is invalid)
[ERROR] (op5/license.c:128: errno: None) Failed to load lua: License signature is invalid
UNKNOWN: License signature is invalid: /etc/op5license/op5license.lic

In the above, it can be seen that the error is SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED. To change this, run the following to set the policy to DEFAULT only:

# update-crypto-policies --set DEFAULT 
Setting system policy to DEFAULT 
Note: System-wide crypto policies are applied on application start-up. 
It is recommended to restart the system for the change of policies 
to fully take place.

# update-crypto-policies --show 
DEFAULT

The license should now work. Run the sample license check again to verify:

# /opt/plugins/check_op5_license -T d -w 30 -c 15 
0 year(s) 10 month(s) 0 day(s) left|'left'=304;@30;@15

Problem description - license outage

At 14:21CET on 2019-02-13 all installations of Monitor gave an error message saying "There was an error rendering the page. Please contact your administrator."

This error message was accompanied by a stack-trace with the following details:

"License signature is invalid: /etc/op5license/op5license.lic"

Because of the error, the Web-UI was not accessible. It did not affect the monitoring and alarms.

Solution

The problem can be solved by updating the packages libop5license and php-op5license.

yum clean all
yum update libop5license php-op5license
service httpd restart

Offline installation

If you are one of our customers that use Red Hat Satellite Server, local yum repo sync, or your OP5 Monitor servers do not have internet access. You can manually download and install the fix with the below instructions. If your servers are completely offline, you will have to download these files and transfer them to your OP5 Monitor servers manually.

# Mon 7
# EL7
wget http://repos.op5.com/el7/x86_64/monitor/7/updates/libop5license-2017.e.1-p1.g46be440.20190213153344.el7.x86_64.rpm
wget http://repos.op5.com/el7/x86_64/monitor/7/updates/php-op5license-2017.e.1-p1.g46be440.20190213153344.el7.x86_64.rpm
yum install libop5license-2017.e.1-p1.g46be440.20190213153344.el7.x86_64.rpm
yum install php-op5license-2017.e.1-p1.g46be440.20190213153344.el7.x86_64.rpm
systemctl restart httpd

# EL6
wget http://repos.op5.com/el6/x86_64/monitor/7/updates/libop5license-2017.e.1-p1.g46be440.20190213153344.el6.x86_64.rpm
wget http://repos.op5.com/el6/x86_64/monitor/7/updates/php-op5license-2017.e.1-p1.g46be440.20190213153344.el6.x86_64.rpm
yum install libop5license-2017.e.1-p1.g46be440.20190213153344.el6.x86_64.rpm
yum install php-op5license-2017.e.1-p1.g46be440.20190213153344.el6.x86_64.rpm
service httpd restart

# MON8
# EL7
wget http://repos.op5.com/el7/x86_64/monitor/8/updates/libop5license-2017.e.1-p1.g46be440.20190213153344.el7.x86_64.rpm
wget http://repos.op5.com/el7/x86_64/monitor/8/updates/php-op5license-2017.e.1-p1.g46be440.20190213153344.el7.x86_64.rpm
yum install libop5license-2017.e.1-p1.g46be440.20190213153344.el7.x86_64.rpm
yum install php-op5license-2017.e.1-p1.g46be440.20190213153344.el7.x86_64.rpm
systemctl restart httpd

# EL6
wget http://repos.op5.com/el6/x86_64/monitor/8/updates/php-op5license-2017.e.1-p1.g46be440.20190213153344.el6.x86_64.rpm
wget http://repos.op5.com/el6/x86_64/monitor/8/updates/libop5license-2017.e.1-p1.g46be440.20190213153344.el6.x86_64.rpm
yum install php-op5license-2017.e.1-p1.g46be440.20190213153344.el6.x86_64.rpm
yum install libop5license-2017.e.1-p1.g46be440.20190213153344.el6.x86_64.rpm
service httpd restart

This page will be updated.

Known issues

Dell repository not working

You may see the following error when updating:

yum update (...)
Could not retrieve mirrorlist http://linux.dell.com/repo/hardware/latest/mirrors.cgi?osname=el6&basearch=x86_64&native=1
error was 14: Peer cert cannot be verified or peer cert invalid
Error: Cannot find a valid baseurl for repo: dell-system-update_dependent

This can be solved by temporarily only enabling the op5-monitor-updates repository:

yum --disablerepo=* --enablerepo=op5-monitor-updates update libop5license php-op5license

Repository op5-monitor-updates is listed more than once in the configuration

Have a look in what files this repo is listed:

grep -rni "op5-monitor-updates" /etc/yum.repos.d/

Likely, you will see it listed in both op5-monitor and op5-release:

/etc/yum.repos.d/op5-monitor.repo:8:[op5-monitor-updates] /etc/yum.repos.d/op5-release.repo:9:[op5-monitor-updates]

Move the "op5-monitor" repo away (as it duplicates op5-release), and try the update again:

mv -v /etc/yum.repos.d/op5-monitor.repo /root
yum clean all
yum --disablerepo=* --enablerepo=op5-monitor-updates update libop5license php-op5license