Jaroslav Klaus wrote:
I'm trying to run puppet through SSH channel using port forwarding
(ssh master -R 8140:127.0.0.1:8140 -L 8139:127.0.0.1:8139). But for
some unknown reason TCP connection is terminated and puppet agent
finishes with message
"err: Could not request certificate: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A"
Not always but in ~98% cases. When I "simulate" the tunnel using
pair of redir(1) without SSH it's always without an issue. I've
never had an issue with SSH port forwarding and this time it's
specific for puppet only. Other protocols like HTTPS, IMAPS work
fine using port forwarding. Master is FreeBSD and I've tried also
OSX (without any difference), agent is Linux 2.6.32.
BTW I thought puppet protocol is HTTPS but if I connect to master
port 8140 using 'telnet localhost 8140' (locally) the connection
is immediately terminated. Maybe it's related to my problem with
SSH port forwarding.
Actually, it is not not *immediately* terminated, just quickly.
The Puppet master has a very short timeout, 0.1 seconds, set for
performing the TLS handshake. If you don't manage that within
that one tenth of a second, you will be disconnected. And of
course, performing a TLS handshake manually using telnet isn't
something most people can do even if they have hours to do it...
Try instead 'openssl s_client -connect localhost:8140', which
does all the TLS stuff for you.
A guess, but it's nothing more than that, is that you run afoul
of the 0.1 seconds timeout when you connect via an SSH tunnel.
/Bellman
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
