Issue #3770 has been updated by Nigel Kersten. Assignee deleted (Ohad Levy) Target version set to Telly Affected Puppet version deleted (0.25.5rc1)
---------------------------------------- Bug #3770: Puppet SSL verfication is broken with multiple chained certificates https://projects.puppetlabs.com/issues/3770 Author: Ohad Levy Status: Accepted Priority: Normal Assignee: Category: SSL Target version: Telly Affected Puppet version: Keywords: Branch: Hi, it seems that 0.25.x SSL is broken when using a chained CA. I'm attaching a simple script (and output) showing that using simple net/https works, while using puppet internally does not. it doesn't seems to be related to the SSL initialization itself, rather to something else h2. example script <pre> require 'net/https' require 'puppet/network/http_pool' args = ["puppet", 8140] header = { "Accept" => "pson" } url = "/development/file_content/facts/somefact.rb" http = Puppet::Network::HttpPool.http_instance(*args) http.verify_mode = OpenSSL::SSL::VERIFY_PEER begin puts http.get url, header rescue warn $! end Puppet[:config] = "/etc/puppet/puppet.conf" Puppet.parse_config http = Net::HTTP.new(*args) http.use_ssl = true http.cert_store = OpenSSL::X509::Store.new http.key = OpenSSL::PKey::RSA.new(File::read(Puppet[:hostprivkey])) http.cert = OpenSSL::X509::Certificate.new(File::read(Puppet[:hostcert])) http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.ca_file = Puppet[:localcacert] puts http.get url, header </pre> h2. output <pre> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed #<Net::HTTPOK:0xb75dc408> "#<Puppet::FileServing::Content:0xb714ffac>" </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
