Tim
2010-Sep-29 15:01 UTC
[Puppet Users] err: Could not request certificate: sslv3 alert handshake failure error
Hi, I''ve setup the puppetmaster to start 5 processes each listening on a different port, with an Apache server in front. This works fine for existing clients, however when I try to add a new client (ie. a newly installed machine with no previous puppet configuration) I get this error: err: Could not request certificate: sslv3 alert handshake failure error Any ideas what''s going wrong? Tim -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nan Liu
2010-Sep-29 15:31 UTC
Re: [Puppet Users] err: Could not request certificate: sslv3 alert handshake failure error
On Wed, Sep 29, 2010 at 8:01 AM, Tim <tkedwards@fastmail.com.au> wrote:> I''ve setup the puppetmaster to start 5 processes each listening on a > different port, with an Apache server in front. This works fine for > existing clients, however when I try to add a new client (ie. a newly > installed machine with no previous puppet configuration) I get this > error: > > err: Could not request certificate: sslv3 alert handshake failure > error > > Any ideas what''s going wrong?Does the new client have a certificate signed by Puppet CA? If not, can you manually generate and distribute a certificate with pupet cert -g (puppetca in 0.25.5)? Is Apache configured for mandatory ssl? The directive is: SSLVerifyClient require Any logs from Apache? Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Patrick
2010-Sep-29 15:42 UTC
Re: [Puppet Users] err: Could not request certificate: sslv3 alert handshake failure error
On Sep 29, 2010, at 8:31 AM, Nan Liu wrote:> On Wed, Sep 29, 2010 at 8:01 AM, Tim <tkedwards@fastmail.com.au> wrote: >> I''ve setup the puppetmaster to start 5 processes each listening on a >> different port, with an Apache server in front. This works fine for >> existing clients, however when I try to add a new client (ie. a newly >> installed machine with no previous puppet configuration) I get this >> error: >> >> err: Could not request certificate: sslv3 alert handshake failure >> error >> >> Any ideas what''s going wrong? > > Does the new client have a certificate signed by Puppet CA? If not, > can you manually generate and distribute a certificate with pupet cert > -g (puppetca in 0.25.5)? > > Is Apache configured for mandatory ssl? The directive is: > SSLVerifyClient requireJust to clarify, mandatory SSL is bad when using puppet.> Any logs from Apache? > > Thanks, > > Nan-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nan Liu
2010-Sep-29 16:22 UTC
Re: [Puppet Users] err: Could not request certificate: sslv3 alert handshake failure error
On Wed, Sep 29, 2010 at 8:42 AM, Patrick <kc7zzv@gmail.com> wrote:>> Is Apache configured for mandatory ssl? The directive is: >> SSLVerifyClient require > > Just to clarify, mandatory SSL is bad when using puppet.No, it''s not bad. The configuration depends on how you sign and distribute the puppet agent''s certificate. If you have a process to generate and distribute the certs during system provisioning, it''s perfectly fine to require validation of client cert. I actually prefer this method and it''s not difficult to implement. However if you expect the client to submit a CSR to be signed either manually via puppet cert --sign or autosigned based on some rules in autosign.conf then this should be configured optional. Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2010-Sep-29 16:37 UTC
Re: [Puppet Users] err: Could not request certificate: sslv3 alert handshake failure error
On Wed, Sep 29, 2010 at 8:42 AM, Patrick <kc7zzv@gmail.com> wrote:> > On Sep 29, 2010, at 8:31 AM, Nan Liu wrote: > >> On Wed, Sep 29, 2010 at 8:01 AM, Tim <tkedwards@fastmail.com.au> wrote: >>> I''ve setup the puppetmaster to start 5 processes each listening on a >>> different port, with an Apache server in front. This works fine for >>> existing clients, however when I try to add a new client (ie. a newly >>> installed machine with no previous puppet configuration) I get this >>> error: >>> >>> err: Could not request certificate: sslv3 alert handshake failure >>> error >>> >>> Any ideas what''s going wrong? >> >> Does the new client have a certificate signed by Puppet CA? If not, >> can you manually generate and distribute a certificate with pupet cert >> -g (puppetca in 0.25.5)? >> >> Is Apache configured for mandatory ssl? The directive is: >> SSLVerifyClient require > > Just to clarify, mandatory SSL is bad when using puppet.Not if you''ve separated your CA from your "config" servers. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Héctor Rivas Gándara
2010-Sep-29 16:52 UTC
Re: [Puppet Users] err: Could not request certificate: sslv3 alert handshake failure error
On Wed, Sep 29, 2010 at 5:01 PM, Tim <tkedwards@fastmail.com.au> wrote:> > Hi, > > I''ve setup the puppetmaster to start 5 processes each listening on a > different port, with an Apache server in front. This works fine for > existing clients, however when I try to add a new client (ie. a newly > installed machine with no previous puppet configuration) I get this > error: > > err: Could not request certificate: sslv3 alert handshake failure > error > > Any ideas what''s going wrong?I think that your problem is explained in this thread: http://groups.google.com/group/puppet-users/browse_thread/thread/39f73655629d6705?fwc=1&pli=1 Wiki of Mongrel http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel refer to this at the end. -- Atentamente Héctor Rivas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Apparently Analagous Threads
- 'sslv3 alert handshake failure' when using puppet load-balanced through Apache
- centos 6.2 - puppet 2.7.13 - SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol version
- R CMD check --as-cran: sslv3 alert handshake failure
- sslv3 alert handshake failure error
- Using Puppet's client certificates for Apache, SSLVerifyClient