Issue #16624 has been updated by eric sorenson.
Description updated
Status changed from Unreviewed to Needs More Information
Assignee set to Clint Savage
what are the values for your agent and master's ssl configuration?
specifically, the permutations of :
`sudo puppet {agent,master} --configprint {cacert,localcacert,certname}`
I am not sure that I would fully expect this to work, despite what the blog
post says. See #3120, #3143 and related bugs.
----------------------------------------
Bug #16624: Using FreeIPA as CA with apache/mod_passenger fails to connect via
SSL
https://projects.puppetlabs.com/issues/16624#change-74732
Author: Clint Savage
Status: Needs More Information
Priority: Normal
Assignee: Clint Savage
Category: SSL
Target version:
Affected Puppet version: 2.6.17
Keywords:
Branch:
I'm not sure this is explicitly a puppet bug, but I can say that it's not an
SSL bug. The configuration I'm using is based upon the blog article here:
http://ignore.tv/2012/01/16/using-the-freeipa-pki-with-puppet/. My
configuration is set up similarly to the one in the article. After generating
the certificate on the master (for the puppet agent), I attempt to run puppet
agent --test. The results are printed as follows:
`err: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3
read finished A: sslv3 alert bad certificate`
When I check the httpd logs, I find the following:
`[error] SSL Library Error: -12285 Unable to find the certificate or key
necessary for authentication`
Additionally, I can run 'openssl s_client -host puppet.int.example.org -port
8140 -cert /etc/puppet/ssl/public_keys/puppet.int.example.org.pem -key
/etc/puppet/ssl/private_keys/puppet.int.example.org.pem -CAfile
/root/ipa-cacert.pem', it returns the following:
<pre>
-----END CERTIFICATE-----
subject=/O=EXAMPLE.ORG/CN=puppet.int.example.org
issuer=/O=EXAMPLE.ORG/CN=Certificate Authority
---
Acceptable client certificate CA names
/C=US/O=example.com/CN=Certificate Shack
/O=EXAMPLE.ORG/CN=puppet.int.example.org
/O=EXAMPLE.ORG/CN=Certificate Authority
---
SSL handshake has read 2262 bytes and written 2638 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 4B6DFE5141A49FCDFF86EDB0CA9C67C46F8872C587F27E0EBDF288DF17AD3365
Session-ID-ctx:
Master-Key:
0350879005FBAEE9938D5762095AE1137DDFB054486CAD9E019C95599266F859B572E6D7B4AE7949A8E2E3E39199590C
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1348780398
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
</pre>
The above I understand means that the certificates are valid with the FreeIPA
CA and work perfectly.
I'm happy to provide more information as necessary.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
