Issue #1525 has been updated by bureado.
This problem is also present on 0.24.5 (Debian Lenny) -- I've recently deployed Apache/Mongrel in front of my puppetmasterd, and now the puppetd on the puppetmasterd host can't sync: Sep 6 16:45:07 host puppetd[23706]: Could not retrieve catalog: Certificates were not trusted: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert decrypt error All other (two, ATM) puppetd's can happily connect to the puppetmasterd using Apache as their proxy. I used the second Apache configuration at http://reductivelabs.com/trac/puppet/wiki/UsingMongrel for this. This is a snippet of my Apache configuration for this: --8<-- SSLEngine on SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLCertificateFile /var/lib/puppet/ssl/certs/host.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/host.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e <Location /> Order allow,deny Allow from all </Location> ProxyPass / http://127.0.0.1:18140/ ProxyPassReverse / http://127.0.0.1:18140/ ProxyPreserveHost on --8<-- ---------------------------------------- Bug #1525: local host fails to sync with mongrel/apache2 http://reductivelabs.com/redmine/issues/show/1525 Author: madduck Status: Re-opened Priority: Normal Assigned to: Category: mongrel Target version: Complexity: Unknown Affected version: 0.24.4 Keywords: After switching to mongrel (and recreating the certificate for the local puppetd), the local puppetd won't sync with puppet anymore: err: /File[/var/lib/puppet/lib]: Failed to generate additional resources during transaction: Certificates were not trusted: tlsv1 alert decrypt error All other hosts connecting via the network work fine. It was suggested on IRC to comment SSLCARevocationFile in the apache2 config, but this did not make the problem go away. `openssl s_client -connect puppetmaster.madduck.net:8140` doesn't output anything different when run locally. `openssl crl -in /var/lib/puppet/ssl/ca/ca_crl.pem -text` seems happy. `openssl x509 -in /var/lib/puppet/ssl/certs/vera.madduck.net.pem` also seems happy. An strace file of the puppetd run is attached. Local puppet.conf is: [puppetd] server=puppetmaster.madduck.net [puppetmasterd] certname=puppetmaster.madduck.net ---------------------------------------- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
