Issue #3770 has been updated by Nigel Kersten.
To provide some context, I asked the dev team to spend some time investigating the scope of this fix, and it was non-trivial, enough that it's been pushed off to Telly. Unlike previous releases however, expect to see Telly code commits starting to make their way to the dev list in the next month. ---------------------------------------- Bug #3770: Puppet SSL verfication is broken with multiple chained certificates https://projects.puppetlabs.com/issues/3770 Author: Ohad Levy Status: Accepted Priority: Normal Assignee: Category: SSL Target version: Telly Affected Puppet version: Keywords: Branch: Hi, it seems that 0.25.x SSL is broken when using a chained CA. I'm attaching a simple script (and output) showing that using simple net/https works, while using puppet internally does not. it doesn't seems to be related to the SSL initialization itself, rather to something else h2. example script <pre> require 'net/https' require 'puppet/network/http_pool' args = ["puppet", 8140] header = { "Accept" => "pson" } url = "/development/file_content/facts/somefact.rb" http = Puppet::Network::HttpPool.http_instance(*args) http.verify_mode = OpenSSL::SSL::VERIFY_PEER begin puts http.get url, header rescue warn $! end Puppet[:config] = "/etc/puppet/puppet.conf" Puppet.parse_config http = Net::HTTP.new(*args) http.use_ssl = true http.cert_store = OpenSSL::X509::Store.new http.key = OpenSSL::PKey::RSA.new(File::read(Puppet[:hostprivkey])) http.cert = OpenSSL::X509::Certificate.new(File::read(Puppet[:hostcert])) http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.ca_file = Puppet[:localcacert] puts http.get url, header </pre> h2. output <pre> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed #<Net::HTTPOK:0xb75dc408> "#<Puppet::FileServing::Content:0xb714ffac>" </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
