Issue #8858 has been updated by Daniel Pittman. Subject changed from Puppet registration with master with Ruby 1.9.2 to Ruby 1.9 defaults HTTPS connections to "peer verify" rather than "no verify" Description updated Category set to SSL Status changed from Needs More Information to Accepted Assignee changed from Ryan Conway to Daniel Pittman Target version set to 2.7.x Affected Puppet version set to 2.7.0 Branch set to https://github.com/puppetlabs/puppet/pull/831
Turns out that the default peer verify mode in Ruby 1.8.7 is "none" and in 1.9 is "peer verify", causing this problem. Instead of accepting the default we should be explicit about what we actually want in terms of verification, fixing the problem. https://github.com/puppetlabs/puppet/pull/831 has a fix for 2.7.x. ---------------------------------------- Bug #8858: Ruby 1.9 defaults HTTPS connections to "peer verify" rather than "no verify" https://projects.puppetlabs.com/issues/8858#change-64192 Author: Ryan Conway Status: Accepted Priority: Normal Assignee: Daniel Pittman Category: SSL Target version: 2.7.x Affected Puppet version: 2.7.0 Keywords: Branch: https://github.com/puppetlabs/puppet/pull/831 When using Puppet 1.9.2, when trying to register the agent with a master, it fails to obtain the master certificate, and therefore fails to complete registration or retrieve and apply a configuration. /usr/local/bin/puppetd --server mypuppetmaster.domain.com --no-daemonize --onetime produces errors along the lines of: err: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed In order to fix this, you need to do the following *before* running the initial registration: Obtain your openssl base directory: openssl version -d This results in something like /usr/lib/openssl/ Copy your PuppetMaster CA.pem to somewhere, like /etc/puppet/ssl/certs/masterca.pem Generate a hash of the masterca.pem file: openssl x509 -hash -noout -in /etc/puppet/ssl/certs/masterca.pem This results in something like '520f3686'. Symlink the hash into your openssl basedir, within the certs directory, appending .0: ln -s /etc/puppet/ssl/certs/masterca.pem /usr/lib/openssl/certs/520f3686.0 Finally, re-run the registration, which should now work as expected. /usr/local/bin/puppetd --server mypuppetmaster.domain.com --no-daemonize --onetime The workaround I found on the following thread: https://groups.google.com/group/puppet-users/browse_thread/thread/fa49f1b9b36ceac6/72bf694d4e2f3012?pli=1 Note: if you have already tried to register with a master, you will need to clear your /etc/puppet/ssl directory, before trying these steps, otherwise the cached versions will be used, and the workaround will fail. This only seems to affect Ruby 1.9. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
