Issue #16624 has been reported by Clint Savage. ---------------------------------------- Bug #16624: Using FreeIPA as CA with apache/mod_passenger fails to connect via SSL https://projects.puppetlabs.com/issues/16624
Author: Clint Savage Status: Unreviewed Priority: Normal Assignee: Category: SSL Target version: Affected Puppet version: 2.6.17 Keywords: Branch: I'm not sure this is explicitly a puppet bug, but I can say that it's not an SSL bug. The configuration I'm using is based upon the blog article here: http://ignore.tv/2012/01/16/using-the-freeipa-pki-with-puppet/. My configuration is set up similarly to the one in the article. After generating the certificate on the master (for the puppet agent), I attempt to run puppet agent --test. The results are printed as follows: err: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert bad certificate When I check the httpd logs, I find the following: [error] SSL Library Error: -12285 Unable to find the certificate or key necessary for authentication Additionally, I can run 'openssl s_client -host puppet.int.example.org -port 8140 -cert /etc/puppet/ssl/public_keys/puppet.int.example.org.pem -key /etc/puppet/ssl/private_keys/puppet.int.example.org.pem -CAfile /root/ipa-cacert.pem', it returns the following: -----END CERTIFICATE----- subject=/O=EXAMPLE.ORG/CN=puppet.int.example.org issuer=/O=EXAMPLE.ORG/CN=Certificate Authority --- Acceptable client certificate CA names /C=US/O=example.com/CN=Certificate Shack /O=EXAMPLE.ORG/CN=puppet.int.example.org /O=EXAMPLE.ORG/CN=Certificate Authority --- SSL handshake has read 2262 bytes and written 2638 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 4B6DFE5141A49FCDFF86EDB0CA9C67C46F8872C587F27E0EBDF288DF17AD3365 Session-ID-ctx: Master-Key: 0350879005FBAEE9938D5762095AE1137DDFB054486CAD9E019C95599266F859B572E6D7B4AE7949A8E2E3E39199590C Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1348780398 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed The above I understand means that the certificates are valid with the FreeIPA CA and work perfectly. I'm happy to provide more information as necessary. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
