It took downgrading to latest in PC1 to find that the error was really about the CN of ActiveMQ certificate not matching the hostname. I had been using the mcollective-servers certificate. This is new behavior and found this: https://tickets.puppetlabs.com/browse/MCO-771
I modified my middleware profile to use the host's puppet certificate and that seems to resolve the error. On Friday, October 6, 2017 at 4:53:39 PM UTC-4, Trey Dockendorf wrote: > > I am upgrading my test environment to Puppet5 by first updating PuppetDB > and Puppetserver to latest Puppet 5 release. Since the upgrade my upgraded > clients fail to connect with ActiveMQ but my Puppet 3.8.6 clients with > mcollective 2.9.0 are working just fine. This environment is entirely > isolated from production so it has its own Puppet CA, PuppetDB, ActiveMQ, > etc. > > I have verified the checksum of certs and keys between puppet5 and puppet3 > clients are the same. The server.cfg is identical except the path for > libdir, logfiles and replacing /etc/mcollective/ssl with > /etc/puppetlabs/mcollective/ssl > > The activemq configuration and keystores did not change as part of the > upgrade. > > Here's error on ActiveMQ side: > 2017-10-06 16:50:23,160 [c.edu] Task-189] ERROR TransportConnector > - Could not accept connection from null: java.io.IOException: > javax.net.ssl.SSLException: Received fatal alert: internal_error > > Error on mcollective side: > > I, [2017-10-06T16:47:10.737736 #125968] INFO -- : activemq.rb:139:in > `on_ssl_connecting' Establishing SSL session with stomp+ssl:// > mcollect...@puppet-test.ten.osc.edu:61614 > E, [2017-10-06T16:47:10.742182 #125968] ERROR -- : activemq.rb:149:in > `on_ssl_connectfail' SSL session creation with stomp+ssl:// > mcollect...@puppet-test.ten.osc.edu:61614 failed: SSL_connect returned=1 > errno=0 state=error: certificate verify failed > I, [2017-10-06T16:47:10.742347 #125968] INFO -- : activemq.rb:129:in > `on_connectfail' TCP Connection to stomp+ssl:// > mcollect...@puppet-test.ten.osc.edu:61614 failed on attempt 9 > > Thanks, > - Trey > > -- --- You received this message because you are subscribed to the Google Groups "mcollective-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to mcollective-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.