Hi,
I''m trying to run puppet through SSH channel using port forwarding (ssh
master -R 8140:127.0.0.1:8140 -L 8139:127.0.0.1:8139). But for some unknown
reason TCP connection is terminated and puppet agent finishes with message
"err: Could not request certificate: SSL_connect SYSCALL returned=5
errno=0 state=SSLv2/v3 read server hello A"
Not always but in ~98% cases. When I "simulate" the tunnel using pair
of redir(1) without SSH it''s always without an issue. I''ve
never had an issue with SSH port forwarding and this time it''s specific
for puppet only. Other protocols like HTTPS, IMAPS work fine using port
forwarding. Master is FreeBSD and I''ve tried also OSX (without any
difference), agent is Linux 2.6.32.
BTW I thought puppet protocol is HTTPS but if I connect to master port 8140
using ''telnet localhost 8140'' (locally) the connection is
immediately terminated. Maybe it''s related to my problem with SSH port
forwarding.
Do you have any experience with such behavior? Any idea what''s the
reason? Thanks a lot.
Jaroslav
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Mar 28, 6:19 pm, Jaroslav Klaus <jaroslav.kl...@gmail.com> wrote:> Hi, > > I''m trying to run puppet through SSH channel using port forwarding (ssh master -R 8140:127.0.0.1:8140 -L 8139:127.0.0.1:8139).Sorry, it should be ssh to server with agent not master of course. Jaroslav -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I don''t quite understand what you''re doing. As a random guess, could you have a race condition where the tunnel doesn''t finish being created before puppet tries to connect? On Mar 28, 2011, at 11:34 AM, Jaroslav Klaus wrote:> > > On Mar 28, 6:19 pm, Jaroslav Klaus <jaroslav.kl...@gmail.com> wrote: >> Hi, >> >> I''m trying to run puppet through SSH channel using port forwarding (ssh master -R 8140:127.0.0.1:8140 -L 8139:127.0.0.1:8139). > > Sorry, it should be ssh to server with agent not master of course. > > Jaroslav > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jaroslav Klaus wrote:> I''m trying to run puppet through SSH channel using port forwarding > (ssh master -R 8140:127.0.0.1:8140 -L 8139:127.0.0.1:8139). But for > some unknown reason TCP connection is terminated and puppet agent > finishes with message > > "err: Could not request certificate: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A" > > Not always but in ~98% cases. When I "simulate" the tunnel using > pair of redir(1) without SSH it''s always without an issue. I''ve > never had an issue with SSH port forwarding and this time it''s > specific for puppet only. Other protocols like HTTPS, IMAPS work > fine using port forwarding. Master is FreeBSD and I''ve tried also > OSX (without any difference), agent is Linux 2.6.32. > > BTW I thought puppet protocol is HTTPS but if I connect to master > port 8140 using ''telnet localhost 8140'' (locally) the connection > is immediately terminated. Maybe it''s related to my problem with > SSH port forwarding.Actually, it is not not *immediately* terminated, just quickly. The Puppet master has a very short timeout, 0.1 seconds, set for performing the TLS handshake. If you don''t manage that within that one tenth of a second, you will be disconnected. And of course, performing a TLS handshake manually using telnet isn''t something most people can do even if they have hours to do it... Try instead ''openssl s_client -connect localhost:8140'', which does all the TLS stuff for you. A guess, but it''s nothing more than that, is that you run afoul of the 0.1 seconds timeout when you connect via an SSH tunnel. /Bellman -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 29.3.2011, at 14:08, Thomas Bellman wrote:> A guess, but it''s nothing more than that, is that you run afoul > of the 0.1 seconds timeout when you connect via an SSH tunnel.Yes. That was the issue. I increased this timeout a bit and it''s OK now. Thx. Jaroslav