Hi all,

it seems that it has to do with eol in minion keys:

https://github.com/saltstack/salt/issues/66126
There's also a PR: https://github.com/saltstack/salt/pull/66140

Best regards

Uwe

On 05 Mar 17:24, Uwe Werler wrote:
> Hi Micholaj,
> 
> to upgrade minions to a higher version than the master is usually a bad idea.
> 
> I noticed the same problem. Installed salt at my alpine machines (3006.7) and lost connection to the master.  But after upgrading my master to 3006.7 my OpenBSD minions (3006.5) lost connection too. When I registered the minions new the keys were stored under accepted keys and immediately under denied keys too. I guess this has something to do with the upgrades in cryptography/pyopenssl. I didn't investigate further but upgraded all machines to 3006.7.
> 
> Best regards
> 
> Uwe
> 
> Am 5. März 2024 16:29:55 MEZ schrieb Mikolaj Kucharski <mikolaj@kucharski.name>:
> >Hi Robert.
> >
> >I've notived this problem on my Debian Bookworm machines, which recently
> >got upgraded to 3006.7 and now I also see this on my OpenBSD -current,
> >which also started to run 3006.7 minions. I have Salt master running
> >on OpenBSD -stable with salt-3006.3 and minions after upgrade to 3006.7
> >lost communication to the master:
> >
> >openbsd-current-minion# tail -n10 /var/log/salt/minion
> >The master public key can be found at:
> >/etc/salt/pki/minion/minion_master.pub
> >2024-03-05 15:13:22,252 [salt.minion:1157][ERROR   ][44088] Error while bringing up minion for multi-master. Is master at fde4:f456:48c2:13c0::1 responding? The error message was Unable to sign_in to master: Invalid master key
> >2024-03-05 15:13:32,719 [salt.crypt:1188][ERROR   ][44088] The master key has changed, the salt master could have been subverted, verify salt master's public key
> >2024-03-05 15:13:32,721 [salt.crypt:803 ][CRITICAL][44088] The Salt Master server's public key did not authenticate!
> >The master may need to be updated if it is a version of Salt lower than 3006.7, or
> >If you are confident that you are connecting to a valid Salt Master, then remove the master public key and restart the Salt Minion.
> >The master public key can be found at:
> >/etc/salt/pki/minion/minion_master.pub
> >2024-03-05 15:13:32,727 [salt.minion:1157][ERROR   ][44088] Error while bringing up minion for multi-master. Is master at fde4:f456:48c2:13c0::1 responding? The error message was Unable to sign_in to master: Invalid master key
> >
> >I didn't check does upgrade to 3006.7 on master help. I don't want
> >to touch my -stable machines. I could setup Salt master on -current
> >and test, but all this problem started on Debian and OpenBSD after
> >minion upgrade to 3006.7. I do follow -stable packages and syspatch
> >on my 7.4-stable machines, but giving upgrade on Debian and OpenBSD,
> >I suspect compatibility issue on Salt side.
> >
> >openbsd-salt-master# sysctl -n kern.version
> >OpenBSD 7.4 (GENERIC.MP) #3: Wed Feb 28 06:23:33 MST 2024
> >    root@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> >
> >openbsd-salt-master# ls -lhtnr /var/db/pkg/ | tail
> >drwxr-xr-x  2 0  0   512B Jan 17 23:23 brotli-1.0.9p0
> >drwxr-xr-x  2 0  0   512B Jan 17 23:23 taskd-1.1.0p5
> >drwxr-xr-x  2 0  0   512B Feb  7 02:50 ngtcp2-0.19.1
> >drwxr-xr-x  2 0  0   512B Feb  7 02:50 nghttp3-0.15.0
> >drwxr-xr-x  2 0  0   512B Feb  7 02:50 nghttp2-1.57.0
> >drwxr-xr-x  2 0  0   512B Feb  7 02:50 git-2.42.0
> >drwxr-xr-x  2 0  0   512B Feb  7 02:50 curl-8.6.0
> >drwxr-xr-x  2 0  0   512B Feb 14 00:47 libunbound-1.19.1
> >drwxr-xr-x  2 0  0   512B Feb 14 00:47 gnutls-3.8.3
> >drwxr-xr-x  2 0  0   512B Feb 24 17:56 quirks-6.160
> >
> >
> >openbsd-current-minion# sysctl -n kern.version
> >OpenBSD 7.5 (GENERIC.MP) #53: Sun Mar  3 22:36:54 MST 2024
> >    deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> >
> >Are you aware of this problem? Ports mailing list, did you notice this,
> >by any chance?
> >
> >-- 
> >Regards,
> > Mikolaj
> >
> 
> -- 
> Mit freundlichen Grüssen / Með bestu kveðju / With kind regards
> 
> Uwe Werler

-- 
wq: ~uw