Issue #21029 has been updated by Mark Barry.
I have come across a similar problem where the puppet master is Linux (Linux pmaster 2.6.18-348.18.1.el5 #1 SMP Fri Sep 6 12:37:18 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux) and some agents are running on Solaris 10 (SunOS pagent 5.10 Generic_148888-01 sun4v sparc sun4v). The work around that I used was to initially create the puppet master on a solaris host, then copy the ssl directory across to the linux host. Solaris: puppet master --certname pmaster.domain.name --confdir /var/tmp/pm --no-daemonize --debug --vardir /var/tmp cd /var/tmp /usr/sfw/bin/gtar zcf ssl.tgz ssl Linux: cd [confdir] gtar zxf /var/tmp/ssl.tgz puppet master --confdir [confdir] --no-daemonize --debug Restarting the "puppet agent" initialisation process then produces usable certificates on the solaris hosts Further host information Solaris openssl: /usr/sfw/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004 Linux openssl: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 ---------------------------------------- Feature #21029: Allow control over the digest used to create CA certificates https://projects.puppetlabs.com/issues/21029#change-98973 * Author: Jan Örnstedt * Status: Accepted * Priority: Low * Assignee: * Category: * Target version: * Affected Puppet version: 3.2.1 * Keywords: sha256 openssl digest solaris * Branch: ---------------------------------------- If the puppet master uses SHA256 as digest on the CA cert then agents with older versions of openssl will not be able to verify the CA Cert. Making it impossible for OS such as Solaris 10 to connect to a master running on Solaris 11. So far have I not found any method of downreving digest algorithm to SHA1 except for reissue the certs with openssl directly. <pre> Master: # digest -a md5 ca.pem agent.pem (ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c (agent.pem) = 559cb7ddf565340ddf802670cc68cf53 # openssl verify -CAfile ca.pem agent.pem agent.pem: OK # openssl x509 -text -noout -in ca.pem | grep Signature Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption # openssl version OpenSSL 1.0.0j 10 May 2012 Agent: # digest -a md5 ca.pem agent.pem (ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c (agent.pem) = 559cb7ddf565340ddf802670cc68cf53 # openssl verify -CAfile ca.pem agent.pem agent.pem: /CN=agent error 7 at 0 depth lookup:certificate signature failure # openssl x509 -text -noout -in ca.pem | grep Signature Signature Algorithm: 1.2.840.113549.1.1.11 Signature Algorithm: 1.2.840.113549.1.1.11 # openssl version OpenSSL 0.9.7d 17 Mar 2004 </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
