Thank you for your response. As a workaround, do you think that using an alternate CA (as described here: http://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html) that is SHA1-compliant would work ?
On Wednesday, February 19, 2014 2:11:43 AM UTC+1, Matthaus Litteken wrote: > > The root cause here is the openssl version. Ruby doesn't ship with its > own openssl, but instead links against openssl. Usually ruby > dynamically links against the openssl available on your system (0.9.7a > for rhel 4, 0.9.8 for sles11 and 1.0.1 for rhel6). > > In your PROD environment: The problem is that on the rhel 6 master, > the CA signed its cert with sha256, the default for puppet 3.x and > supported in openssl 1.0.1. The rhel 4 agent then gets the CA public > cert, which was signed using sha256, and its old version of openssl > can't even recognize sha256 as a valid digest format, so it fails with > the error you see. > > In your DEV environment: It works because Puppet 2.7 doesn't sign the > ca cert with sha256 by default, so both openssl 0.9.8 on your master > and 0.9.7a on your agent are able to read and verify the cert. > > To use an agent with a Puppet 3 master that signs using sha256, you > need to have a version of openssl with sha256 available and enabled > (enabled by default on openssl 0.9.8l and later)[1]. > > [1]- http://marc.info/?l=openssl-users&m=135355590501495 > > HTH > > > On Tue, Feb 18, 2014 at 3:47 PM, Monir Miloudi > <[email protected]<javascript:>> > wrote: > > Patrick, > > > > Thanks for your reply but before I try to downgrade my PROD Puppet > Master > > from the 3.x branch to 2.7.x branch, I'd like you to answer me 2 > questions > > if you may : > > > > I tried upgrading my PROD Puppet Agent from 0.25 to 2.6 (and even 2.7) > but I > > was still faced with the same issue. Why is that ? > > I thought (maybe wrongfully) that the version of OpenSSL used by Puppet > > (both agent and master) was the one packaged with Ruby and not the one > > packaged with the distro. So I tried upgrading Ruby on the DEV Puppet > Agent > > from 1.8.1 to 1.8.5 but still digest issues. Can you explain me why is > it > > happening ? > > > > > > Anyway, thank you for your time. > > > > On Tuesday, February 18, 2014 6:52:02 PM UTC+1, Patrick Carlisle wrote: > >> > >> > >> On Mon, Feb 17, 2014 at 8:12 PM, Monir Miloudi <[email protected]> > wrote: > >>> > >>> What puzzles me is the fact that I'm using the same version of Puppet > >>> agent, Facter, Ruby and OpenSSL on both agent (RH4 x86) but the agent > is > >>> working in my DEV environment but not on PROD. > >> > >> > >> Your masters don't have the same OpenSSL version. You list 1.0 for the > >> PROD master but 0.98j for the DEV master. They are also running > different > >> major versions of puppet. I think we added SHA256 support in 3.0 and in > 3.1 > >> made it fallback to SHA1 when that isn't available. Note that puppet > cert > >> lists a much longer digest for PROD with (SHA256) at the beginning. The > >> digest algorithm is not configurable so if you need to run old openssl > on > >> your agents then you need to issue your certs from puppet 2.7 > >> (https://tickets.puppetlabs.com/browse/PUP-1146 is the bug about > this). > >> > >> We also don't support running an agent more than one major version > older > >> than the master (so you want 2.7+ to run against your 3.0 master). > >> > >> -Patrick > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Puppet Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/puppet-dev/803f2d23-d90d-4fdb-bee8-7e86ecbf57b9%40googlegroups.com. > > > > > > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > Matthaus Owens > Release Manager, Puppet Labs > > Join us at PuppetConf 2014, September 23-24 in San Francisco > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/37cb0303-af2d-47a2-9bbd-5e8aafef8328%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
