Hi guys,
I am hitting a problem during upgrading/testing of Puppet v3, something
I've missed during my earlier testing, affecting AIX 5.3 only (actually
I've only got AIX5.3/6.1 to play with so I can't be certain it only affects
5.3). I can say that it doesn't appear to affect any of my Solaris
(5.8-5.10) or my HP-UX (11.23).
After upgrading to puppet 3.1.0 on both master & client (where master is
running Redhat Linux) I get the following when trying to use the signed
certificate:
myaix53client[/]# /opt/freeware/bin/puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate
B: certificate verify failed: [self signed certificate for
/CN=mymaster.mydomain.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed: [self signed certificate
for /CN=mymaster.mydomain.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [self signed certificate for /CN=mymaster.mydomain.com]
Could not retrieve file metadata for
puppet://mymaster.mydomain.com/plugins: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed: [self
signed certificate for /CN=mymaster.mydomain.com]
Error: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [self signed certificate for /CN=mymaster.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed: [self signed
certificate for /CN=mymaster.mydomain.com]
I've googled and seen numerous hits in both the Puppet Users list and in
blogs suggesting as a root cause either a time synchronisation problem
(ruled out for me as it's affecting my entire AIX 5.3 fleet) or a problem
with the SSL cert that's being presented by the Puppet Master. Posts
suggest blowing away $ssldir on both master/client ought to fix the second
possibility, but hasn't for me.
Experimentation with openssl s_client shows that I get the same response
from the server on AIX 5.3 as I do on AIX 6.1 (where it works).
Here is an example from the AIX5.3 client -
myaix53client[/]# /opt/freeware/bin/openssl s_client -connect mymaster:8140
-CApath /var/lib/puppet/ssl/certs
depth=1 CN = Puppet CA: mymaster.mydomain.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
CONNECTED(00000004)
---
Certificate chain
0 s:/CN=mymaster.mydomain.com
i:/CN=Puppet CA: mymaster.mydomain.com
1 s:/CN=Puppet CA: mymaster.mydomain.com
i:/CN=Puppet CA: mymaster.mydomain.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICqzCCAhSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAwMS4wLAYDVQQDDCVQdXBw
ZXQgQ0E6IHB1cGducGFwcGwwMDEub3B0dXMuY29tLmF1MB4XDTEyMDgwNjA2MDc1
NFoXDTE3MDgwNjA2MDc1NFowJTEjMCEGA1UEAwwacHVwZ25wYXBwbDAwMS5vcHR1
cy5jb20uYXUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMtJ/p3FmrFTb2Nr
43C2duoizB+8DtHUULjEvgCbg1YCmHemW1mAl3aUjYFbPR4dsEmJh32+IXjZw4Mn
5QeO8H40hJJ2jDj3vyegG/z1HC532WuAV3JEeIw5N6l3z6v4UFkCS29PABzozEKI
7awR7blQOOzt2CQx7bb5khnzwxUnAgMBAAGjgd8wgdwwQgYDVR0RBDswOYIacHVw
Z25wYXBwbDAwMS5vcHR1cy5jb20uYXWCBnB1cHBldIITcHVwcGV0Lm9wdHVzLmNv
bS5hdTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSd0VfbkcEwLB9Y8VnWMZrpjZ0A
RjAOBgNVHQ8BAf8EBAMCBaAwNwYJYIZIAYb4QgENBCoWKFB1cHBldCBSdWJ5L09w
ZW5TU0wgSW50ZXJuYWwgQ2VydGlmaWNhdGUwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAHhsQsX8jfaG51E4aYLOcNO0
ebeSuGY8eglZg903S9PCPPIrpGtfYDBh0YCZpRPxo2Ya3kTU7OnK6mCTslmnLeuS
KQKRv4Fv7VRjaF55PIx8gmiZ3hW68zbVQNb1p3rL0yDOSBYLdUs4KYcQawJQVNog
OBV2mRiyAB04r6APyMjl
-----END CERTIFICATE-----
subject=/CN=mymaster.mydomain.com
issuer=/CN=Puppet CA: mymaster.mydomain.com
---
No client certificate CA names sent
---
SSL handshake has read 1869 bytes and written 418 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
4C5033405A55AEDA43025C1AE1350211811230DCEF6E9F8956492772B7710750
Session-ID-ctx:
Master-Key:
5471D567F94E7EC9AFD96E0D3CEEC26EEB288DCD33246B11FFCF6AD8C8FDA3B1A8CEB47F63881557E4D3F3D3276DC425
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1360555895
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
closed
Variations on this command compared against similar commands from a working
AIX6.1 client show similar output.
I also tried generating the certificate on the master using
https://gist.github.com/ahpook/1182243
mymaster# puppet cert --generate myaix53client.mydomain.com
and then copying to the appropriate directories, and I got the same result.
This leads me to suspect I am encountering a bug in puppet - although I
can't be certain. I can't see any open bug that seems to match.
I note that my AIX 5.3 fleet openssl doesn't support SHA256 - see
http://projects.puppetlabs.com/issues/17295. The patch I submitted there
was only tested on HP-UX, which at the time was the only platform I had
identified the issue on. That said, I can't see how lack of SHA256 could
be the root cause, though, or why would it work fine on my HP-UX, where I
likewise lack SHA256?
So, just wondering if anyone out there can think of anything else I can
try? At worst, this is a showstopper that completely prevents the use of
Puppet on AIX5.3 - which is an old release, I guess, but I suspect lots of
people still use it. At the moment, I can't, at any rate, find a
workaround. At best, it's certainly a showstopper for me. :-)
Kind regards,
Alex Harvey
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-dev?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
