Issue #8858 has been updated by Matthaus Litteken. Status changed from Merged - Pending Release to Closed Target version changed from 2.7.15 to 2.7.16
Released in Puppet 2.7.16rc1 ---------------------------------------- Bug #8858: Ruby 1.9 defaults HTTPS connections to "peer verify" rather than "no verify" https://projects.puppetlabs.com/issues/8858#change-64548 Author: Ryan Conway Status: Closed Priority: Normal Assignee: Daniel Pittman Category: SSL Target version: 2.7.16 Affected Puppet version: 2.7.0 Keywords: Branch: https://github.com/puppetlabs/puppet/pull/831 When using Puppet 1.9.2, when trying to register the agent with a master, it fails to obtain the master certificate, and therefore fails to complete registration or retrieve and apply a configuration. /usr/local/bin/puppetd --server mypuppetmaster.domain.com --no-daemonize --onetime produces errors along the lines of: err: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed In order to fix this, you need to do the following *before* running the initial registration: Obtain your openssl base directory: openssl version -d This results in something like /usr/lib/openssl/ Copy your PuppetMaster CA.pem to somewhere, like /etc/puppet/ssl/certs/masterca.pem Generate a hash of the masterca.pem file: openssl x509 -hash -noout -in /etc/puppet/ssl/certs/masterca.pem This results in something like '520f3686'. Symlink the hash into your openssl basedir, within the certs directory, appending .0: ln -s /etc/puppet/ssl/certs/masterca.pem /usr/lib/openssl/certs/520f3686.0 Finally, re-run the registration, which should now work as expected. /usr/local/bin/puppetd --server mypuppetmaster.domain.com --no-daemonize --onetime The workaround I found on the following thread: https://groups.google.com/group/puppet-users/browse_thread/thread/fa49f1b9b36ceac6/72bf694d4e2f3012?pli=1 Note: if you have already tried to register with a master, you will need to clear your /etc/puppet/ssl directory, before trying these steps, otherwise the cached versions will be used, and the workaround will fail. This only seems to affect Ruby 1.9. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
