I'm not aware that we've seen anything like this in our testing, although I have pinged the rest of the team. We probably have not seen the issue because 2.7.x, which the 'aix' branch is based on, is still heavily tied to MD5 rather than SHA256. Recently we've been focusing on getting basic types working, you know, like 'Package' or 'Service'.
We've been developing and testing against AIX 5.3, 6.1 and 7.1. -Jeff On Mon, Feb 11, 2013 at 2:07 AM, Andy Parker <a...@puppetlabs.com> wrote: > Alex, what version of openssl is on the AIX 5.3 machine? If it is working > on one version of AIX and not the other, I suspect it might be a version > difference of the libraries that is causing problems. The PE team has been > working on getting AIX support in puppet. Their work is currently being > merged into the "aix" branch in the puppetlabs/puppet repo, you might > consider taking a look at that to see if they have fixed this. The work is > based on the 2.7.x branch, I believe, since they want to get it into PE, > which is still using puppet 2.7. Once that have everything ready, I think > the plan is to merge the changes forward into the master branch and not > into the 2.7 branch. I could be wrong about that, though. > > Jeff, I know your team has been working on AIX support, have you seen > anything like this? Also, what version of AIX are you using right now for > development? > > > On Sun, Feb 10, 2013 at 8:37 PM, Alex Harvey <alexharv...@gmail.com>wrote: > >> Hi guys, >> >> I am hitting a problem during upgrading/testing of Puppet v3, something >> I've missed during my earlier testing, affecting AIX 5.3 only (actually >> I've only got AIX5.3/6.1 to play with so I can't be certain it only affects >> 5.3). I can say that it doesn't appear to affect any of my Solaris >> (5.8-5.10) or my HP-UX (11.23). >> >> After upgrading to puppet 3.1.0 on both master & client (where master is >> running Redhat Linux) I get the following when trying to use the signed >> certificate: >> >> myaix53client[/]# /opt/freeware/bin/puppet agent -t >> Warning: Unable to fetch my node definition, but the agent run will >> continue: >> Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server >> certificate B: certificate verify failed: [self signed certificate for /CN= >> mymaster.mydomain.com] >> Info: Retrieving plugin >> Error: /File[/var/lib/puppet/lib]: Failed to generate additional >> resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 >> read server certificate B: certificate verify failed: [self signed >> certificate for /CN=mymaster.mydomain.com] >> Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect >> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >> verify failed: [self signed certificate for /CN=mymaster.mydomain.com] >> Could not retrieve file metadata for puppet:// >> mymaster.mydomain.com/plugins: SSL_connect returned=1 errno=0 >> state=SSLv3 read server certificate B: certificate verify failed: [self >> signed certificate for /CN=mymaster.mydomain.com] >> Error: Could not retrieve catalog from remote server: SSL_connect >> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >> verify failed: [self signed certificate for /CN=mymaster.mydomain.com] >> Warning: Not using cache on failed catalog >> Error: Could not retrieve catalog; skipping run >> Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 >> read server certificate B: certificate verify failed: [self signed >> certificate for /CN=mymaster.mydomain.com] >> >> I've googled and seen numerous hits in both the Puppet Users list and in >> blogs suggesting as a root cause either a time synchronisation problem >> (ruled out for me as it's affecting my entire AIX 5.3 fleet) or a problem >> with the SSL cert that's being presented by the Puppet Master. Posts >> suggest blowing away $ssldir on both master/client ought to fix the second >> possibility, but hasn't for me. >> >> Experimentation with openssl s_client shows that I get the same response >> from the server on AIX 5.3 as I do on AIX 6.1 (where it works). >> >> Here is an example from the AIX5.3 client - >> >> myaix53client[/]# /opt/freeware/bin/openssl s_client -connect >> mymaster:8140 -CApath /var/lib/puppet/ssl/certs >> depth=1 CN = Puppet CA: mymaster.mydomain.com >> verify error:num=19:self signed certificate in certificate chain >> verify return:0 >> CONNECTED(00000004) >> --- >> Certificate chain >> 0 s:/CN=mymaster.mydomain.com >> i:/CN=Puppet CA: mymaster.mydomain.com >> 1 s:/CN=Puppet CA: mymaster.mydomain.com >> i:/CN=Puppet CA: mymaster.mydomain.com >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> MIICqzCCAhSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAwMS4wLAYDVQQDDCVQdXBw >> ZXQgQ0E6IHB1cGducGFwcGwwMDEub3B0dXMuY29tLmF1MB4XDTEyMDgwNjA2MDc1 >> NFoXDTE3MDgwNjA2MDc1NFowJTEjMCEGA1UEAwwacHVwZ25wYXBwbDAwMS5vcHR1 >> cy5jb20uYXUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMtJ/p3FmrFTb2Nr >> 43C2duoizB+8DtHUULjEvgCbg1YCmHemW1mAl3aUjYFbPR4dsEmJh32+IXjZw4Mn >> 5QeO8H40hJJ2jDj3vyegG/z1HC532WuAV3JEeIw5N6l3z6v4UFkCS29PABzozEKI >> 7awR7blQOOzt2CQx7bb5khnzwxUnAgMBAAGjgd8wgdwwQgYDVR0RBDswOYIacHVw >> Z25wYXBwbDAwMS5vcHR1cy5jb20uYXWCBnB1cHBldIITcHVwcGV0Lm9wdHVzLmNv >> bS5hdTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSd0VfbkcEwLB9Y8VnWMZrpjZ0A >> RjAOBgNVHQ8BAf8EBAMCBaAwNwYJYIZIAYb4QgENBCoWKFB1cHBldCBSdWJ5L09w >> ZW5TU0wgSW50ZXJuYWwgQ2VydGlmaWNhdGUwIAYDVR0lAQH/BBYwFAYIKwYBBQUH >> AwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAHhsQsX8jfaG51E4aYLOcNO0 >> ebeSuGY8eglZg903S9PCPPIrpGtfYDBh0YCZpRPxo2Ya3kTU7OnK6mCTslmnLeuS >> KQKRv4Fv7VRjaF55PIx8gmiZ3hW68zbVQNb1p3rL0yDOSBYLdUs4KYcQawJQVNog >> OBV2mRiyAB04r6APyMjl >> -----END CERTIFICATE----- >> subject=/CN=mymaster.mydomain.com >> issuer=/CN=Puppet CA: mymaster.mydomain.com >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1869 bytes and written 418 bytes >> --- >> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA >> Server public key is 1024 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : DHE-RSA-AES256-SHA >> Session-ID: >> 4C5033405A55AEDA43025C1AE1350211811230DCEF6E9F8956492772B7710750 >> Session-ID-ctx: >> Master-Key: >> 5471D567F94E7EC9AFD96E0D3CEEC26EEB288DCD33246B11FFCF6AD8C8FDA3B1A8CEB47F63881557E4D3F3D3276DC425 >> Key-Arg : None >> PSK identity: None >> PSK identity hint: None >> Start Time: 1360555895 >> Timeout : 300 (sec) >> Verify return code: 19 (self signed certificate in certificate chain) >> --- >> closed >> >> Variations on this command compared against similar commands from a >> working AIX6.1 client show similar output. >> >> I also tried generating the certificate on the master using >> https://gist.github.com/ahpook/1182243 >> >> mymaster# puppet cert --generate myaix53client.mydomain.com >> >> and then copying to the appropriate directories, and I got the same >> result. >> >> This leads me to suspect I am encountering a bug in puppet - although I >> can't be certain. I can't see any open bug that seems to match. >> >> I note that my AIX 5.3 fleet openssl doesn't support SHA256 - see >> http://projects.puppetlabs.com/issues/17295. The patch I submitted >> there was only tested on HP-UX, which at the time was the only platform I >> had identified the issue on. That said, I can't see how lack of SHA256 >> could be the root cause, though, or why would it work fine on my HP-UX, >> where I likewise lack SHA256? >> >> So, just wondering if anyone out there can think of anything else I can >> try? At worst, this is a showstopper that completely prevents the use of >> Puppet on AIX5.3 - which is an old release, I guess, but I suspect lots of >> people still use it. At the moment, I can't, at any rate, find a >> workaround. At best, it's certainly a showstopper for me. :-) >> >> Kind regards, >> Alex Harvey >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-dev+unsubscr...@googlegroups.com. >> To post to this group, send email to puppet-dev@googlegroups.com. >> Visit this group at http://groups.google.com/group/puppet-dev?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To post to this group, send email to puppet-dev@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-dev?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
