Issue #899 has been updated by Brice Figureau.
Brendan Beveridge wrote: > Following the guide on: http://reductivelabs.com/trac/puppet/wiki/UsingMongrel > > running: puppetd --test --server localhost > gives me: err: Could not retrieve configuration: Certificates were not > trusted: tlsv1 alert decrypt error > > in the apache balancer logs i get: > [warn] Invalid signature on CRL > [error] Certificate Verification: Error (8): CRL signature failure > > If i comment out the revocation file all works fine. This afternoon, ohadlevy (sorry I don't know his real name) and I traced down this issue and found a work-around. This is what I think is a bug in apache mod_ssl (other balancer, like Nginx or Pound are not affected). Mod_ssl implements its own CRL checking instead of using the OpenSSL one. This specific algorithm first tries to load a CRL whose name is the client subjectDN. If it finds one, it checks its signature against the cert public key. Unfortunately, when we run puppetd on the same host as the puppetmaster, puppetd uses the same cert as the puppetmaster _server_ certificate. This certificate subject matches the CRL issuer, so apache loads this crl and tries to validate it with this public key. Unfortunately again, this CRL has been signed by the CA, not the server certificate, so it fails. The workaround is to generate a new certificate on the puppetmaster, which uses a different subjectDN than the server cert, then when use the --certname puppetd option when running puppetd with this new name. The long term solution I think is to either sign the CRL with the server public key, or issue a CA cert with a different subjectDN than the server certname (if that's possible). ---------------------------------------- Bug #899: CRL signature failure when using apache/mongrel http://projects.reductivelabs.com/issues/899 Author: Brendan Beveridge Status: Accepted Priority: Normal Assigned to: Category: mongrel Target version: Complexity: Unknown Patch: None Affected version: 0.24.8 Keywords: Following the guide on: http://reductivelabs.com/trac/puppet/wiki/UsingMongrel running: puppetd --test --server localhost gives me: err: Could not retrieve configuration: Certificates were not trusted: tlsv1 alert decrypt error in the apache balancer logs i get: [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure This is using the current versions: puppet: 0.23.2 apache: 2.2.6 mongrel: 1.1 config is per the urls details. If i comment out the revocation file all works fine. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
