Issue #3640 has been updated by Ohad Levy.
as expected, Luke's patch is working http://github.com/lak/puppet/commit/bb07664e22ef7c035576e25c8ed699990365626d I took an existing 0.24.8 client, upgrade it to 0.25.5 and got the client working fine. however, when I'm trying to use the 0.25.5 master to sign a new ca, it fails. it seems, that puppet is really unhappy if the certs/ca.pem file contain other certificates. afaik, this is the place to put the top level ca pub key, however, the puppetmaster keeps replacing the content of this file to match to the local ca pub key (ca/ca_crt.pem) from the log: <pre> Removing file Puppet::SSL::Certificate ca at '/var/lib/puppet/ssl/certs/ca.pem' Retrieved certificate does not match private key Signed certificate request for ca Starting Puppet server version 0.25.5 </pre> ---------------------------------------- Bug #3640: Puppet SSL verfication is broken with multiple chained certificates http://projects.puppetlabs.com/issues/3640 Author: Ohad Levy Status: Needs more information Priority: Normal Assigned to: Ohad Levy Category: SSL Target version: Affected version: 0.25.5rc1 Keywords: Branch: Hi, it seems that 0.25.x SSL is broken when using a chained CA. I'm attaching a simple script (and output) showing that using simple net/https works, while using puppet internally does not. it doesn't seems to be related to the SSL initialization itself, rather to something else h2. example script <pre> require 'net/https' require 'puppet/network/http_pool' args = ["puppet", 8140] header = { "Accept" => "pson" } url = "/development/file_content/facts/somefact.rb" http = Puppet::Network::HttpPool.http_instance(*args) http.verify_mode = OpenSSL::SSL::VERIFY_PEER begin puts http.get url, header rescue warn $! end Puppet[:config] = "/etc/puppet/puppet.conf" Puppet.parse_config http = Net::HTTP.new(*args) http.use_ssl = true http.cert_store = OpenSSL::X509::Store.new http.key = OpenSSL::PKey::RSA.new(File::read(Puppet[:hostprivkey])) http.cert = OpenSSL::X509::Certificate.new(File::read(Puppet[:hostcert])) http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.ca_file = Puppet[:localcacert] puts http.get url, header </pre> h2. output <pre> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed #<Net::HTTPOK:0xb75dc408> "#<Puppet::FileServing::Content:0xb714ffac>" </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
