Issue #4226 has been updated by Jeff McCune.
Affected version deleted (2.6.0rc2)
In order to reproduce this error, I ran the master on a CentOS 5.5 virtual
machine and the agent on Mac OS X 10.6.4. The error seems to come from the
openssl library of the agent.
r...@vivian:~# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
r...@vivian:~# envpuppet ruby --version
ruby 1.8.5 (2006-08-25) [x86_64-linux]
r...@vivian:~# cat /etc/redhat-release
CentOS release 5.5 (Final)
r...@vivian:~#
On the agent:
2612 ~ % openssl version
OpenSSL 0.9.8l 5 Nov 2009
2613 ~ % ruby --version
ruby 1.8.7 (2009-06-12 patchlevel 174) [universal-darwin10.0]
2615 ~ % sw_vers
ProductName: Mac OS X
ProductVersion: 10.6.4
BuildVersion: 10F569
On the master, clear out ssldir then run:
puppet master --verbose --no-daemonize
On the agent, run
puppet agent --test --server mock.puppetlabs.vm
This causes the error:
2602 puppet:upstream/2.6.x % envpuppet puppetd --test --server
vivian.puppetlabs.vm
err: Could not retrieve catalog from remote server: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
To fix the problem, clear the SSL and CA certificates on the master and restart
with a CA name other than the FQDN:
r...@vivian:~# envpuppet puppetmasterd --verbose --no-daemonize --ca_name
"Puppet CA $(hostname)"
----------------------------------------
Bug #4226: Puppet ca_name configuration setting should not default to the fqdn
of the host.
http://projects.puppetlabs.com/issues/4226
Author: Jeff McCune
Status: Accepted
Priority: Normal
Assignee:
Category:
Target version:
Affected version:
Keywords: ssl ca crl certificate revocation
Branch:
Overview:
There are numerous issues with enabled checking of certificate revocation list
(CRL) files. These issues appear to be caused by the CN field of the CA
certificate exactly matching the CN field of the SSL certificate used on the
puppet master host.
One possible solution is to change the default value of the CN field for the CA
certificate to be distinct and unique from the CN field of the SSL certificate
on the puppet master. This may be accomplished by changing the default value
of the ca_name configuration setting to something other than the FQDN of the
host.
Expected Behavior:
CRL checking should work when enabled.
Actual Behavior:
CRL checking does not work when the CN field of the CA certificate exactly
matches the CN field of the SSL server certificate.
Steps to reproduce:
Create a default puppet master SSL setup where by the CN name of both the CA
and SSL certificates is the FQDN of the host.
Enable SSL CRL checking on the puppet master.
Notice that CRL checking fails due to a conflict and confusion over the correct
certificate to use.
Suggested fix:
Change the behavior of the ca_name configuration setting to create a CA
certificate with a CN of:
"Puppet CA #{Facter["fqdn"].value}"
rather than the current behavior of "#{Facter["fqdn"].value}" or
"${Facter["hostname"].value}.#{Facter["domain"].value}"
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
