The root cause here is the openssl version. Ruby doesn't ship with its own openssl, but instead links against openssl. Usually ruby dynamically links against the openssl available on your system (0.9.7a for rhel 4, 0.9.8 for sles11 and 1.0.1 for rhel6).
In your PROD environment: The problem is that on the rhel 6 master, the CA signed its cert with sha256, the default for puppet 3.x and supported in openssl 1.0.1. The rhel 4 agent then gets the CA public cert, which was signed using sha256, and its old version of openssl can't even recognize sha256 as a valid digest format, so it fails with the error you see. In your DEV environment: It works because Puppet 2.7 doesn't sign the ca cert with sha256 by default, so both openssl 0.9.8 on your master and 0.9.7a on your agent are able to read and verify the cert. To use an agent with a Puppet 3 master that signs using sha256, you need to have a version of openssl with sha256 available and enabled (enabled by default on openssl 0.9.8l and later)[1]. [1]- http://marc.info/?l=openssl-users&m=135355590501495 HTH On Tue, Feb 18, 2014 at 3:47 PM, Monir Miloudi <[email protected]> wrote: > Patrick, > > Thanks for your reply but before I try to downgrade my PROD Puppet Master > from the 3.x branch to 2.7.x branch, I'd like you to answer me 2 questions > if you may : > > I tried upgrading my PROD Puppet Agent from 0.25 to 2.6 (and even 2.7) but I > was still faced with the same issue. Why is that ? > I thought (maybe wrongfully) that the version of OpenSSL used by Puppet > (both agent and master) was the one packaged with Ruby and not the one > packaged with the distro. So I tried upgrading Ruby on the DEV Puppet Agent > from 1.8.1 to 1.8.5 but still digest issues. Can you explain me why is it > happening ? > > > Anyway, thank you for your time. > > On Tuesday, February 18, 2014 6:52:02 PM UTC+1, Patrick Carlisle wrote: >> >> >> On Mon, Feb 17, 2014 at 8:12 PM, Monir Miloudi <[email protected]> wrote: >>> >>> What puzzles me is the fact that I'm using the same version of Puppet >>> agent, Facter, Ruby and OpenSSL on both agent (RH4 x86) but the agent is >>> working in my DEV environment but not on PROD. >> >> >> Your masters don't have the same OpenSSL version. You list 1.0 for the >> PROD master but 0.98j for the DEV master. They are also running different >> major versions of puppet. I think we added SHA256 support in 3.0 and in 3.1 >> made it fallback to SHA1 when that isn't available. Note that puppet cert >> lists a much longer digest for PROD with (SHA256) at the beginning. The >> digest algorithm is not configurable so if you need to run old openssl on >> your agents then you need to issue your certs from puppet 2.7 >> (https://tickets.puppetlabs.com/browse/PUP-1146 is the bug about this). >> >> We also don't support running an agent more than one major version older >> than the master (so you want 2.7+ to run against your 3.0 master). >> >> -Patrick > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/803f2d23-d90d-4fdb-bee8-7e86ecbf57b9%40googlegroups.com. > > For more options, visit https://groups.google.com/groups/opt_out. -- Matthaus Owens Release Manager, Puppet Labs Join us at PuppetConf 2014, September 23-24 in San Francisco -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CACD%3DwAe7XDVFhjnSe6uE8gy9z-NUhcVF7cSbsCq45_Tt3gTbQQ%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
