Issue #3640 has been updated by Markus Roberts. Status changed from Accepted to Needs more information Assigned to set to Ohad Levy
Ohad -- Re-reading the ticket for the Nth time, something struck me. You say: <blockquote> I'm attaching a simple script (and output) showing that using simple net/https works, while using puppet internally does not. </blockquote> but the output you attached shows it *failing,* not working: <pre> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed #<Net::HTTPOK:0xb75dc408> "#<Puppet::FileServing::Content:0xb714ffac>" </pre> My reading of this is that the certificate verification failed, but you went ahead and used it anyway (the equivalent of clicking "use it anyway" on the "I'm feeling luck/trusting/gullible" pop-up in a browser. In other words, your script appears to show that it's not just puppet that's objecting to the cert. Agree? Disagree? Thoughts? -- Markus ---------------------------------------- Bug #3640: Puppet SSL verfication is broken with multiple chained certificates http://projects.puppetlabs.com/issues/3640 Author: Ohad Levy Status: Needs more information Priority: Normal Assigned to: Ohad Levy Category: SSL Target version: Affected version: 0.25.5rc1 Keywords: Branch: Hi, it seems that 0.25.x SSL is broken when using a chained CA. I'm attaching a simple script (and output) showing that using simple net/https works, while using puppet internally does not. it doesn't seems to be related to the SSL initialization itself, rather to something else h2. example script <pre> require 'net/https' require 'puppet/network/http_pool' args = ["puppet", 8140] header = { "Accept" => "pson" } url = "/development/file_content/facts/somefact.rb" http = Puppet::Network::HttpPool.http_instance(*args) http.verify_mode = OpenSSL::SSL::VERIFY_PEER begin puts http.get url, header rescue warn $! end Puppet[:config] = "/etc/puppet/puppet.conf" Puppet.parse_config http = Net::HTTP.new(*args) http.use_ssl = true http.cert_store = OpenSSL::X509::Store.new http.key = OpenSSL::PKey::RSA.new(File::read(Puppet[:hostprivkey])) http.cert = OpenSSL::X509::Certificate.new(File::read(Puppet[:hostcert])) http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.ca_file = Puppet[:localcacert] puts http.get url, header </pre> h2. output <pre> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed #<Net::HTTPOK:0xb75dc408> "#<Puppet::FileServing::Content:0xb714ffac>" </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
