Andrew Ring
2011-Nov-09 20:51 UTC
[Puppet Users] WinXP Agent SSL issue/Increase TLS timeout on Puppet Master?
Greetings, While using puppet 2.7.6-266 on a very old Windows XP system (I know WinXP is not supported by puppet), I have run into an error when running Puppet Agent: "err: Could not request certificate: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A" My install procedure is that from the Puppet Labs site: http://projects.puppetlabs.com/projects/1/wiki/Puppet_Windows Watching the transaction via wireshark, communication is and is killed very shortly after it starts, just over 0.1 seconds between the first Syn and the last Rst. The Puppet Master receives the client''s certificate. I am also able to sign the certificate, which does not alter the behavior of puppet on the client. I can not confirm it, but it took several times running the Puppet Agent for the system''s SSL certificate to reach the point where "puppetca --list" would display it. The Puppet Master is running Puppet version 2.6.2-5. I have a second, new Windows 7 system, using the same software versions, has no issue connecting to the Puppet Master. In a thread titled "SSH port forwarding" from 28 March 2011(?) (http://comments.gmane.org/gmane.comp.sysutils.puppet.user/29632) it was mentioned that the Puppet Master has a TLS timeout of 0.1 seconds. Is this a general issue with Puppet and Windows XP? Is there a way to increase the TLS timeout on the Puppet Master? Alternatively, is there a method to confirm that the TLS timeout is my problem? Thank you, Andrew -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jacob Helwig
2011-Nov-09 21:18 UTC
Re: [Puppet Users] WinXP Agent SSL issue/Increase TLS timeout on Puppet Master?
On 2011-11-09 12:51 , Andrew Ring wrote:> Greetings, > > While using puppet 2.7.6-266 on a very old Windows XP system (I know > WinXP is not supported by puppet), I have run into an error when running > Puppet Agent: > "err: Could not request certificate: SSL_connect SYSCALL returned=5 > errno=0 state=SSLv2/v3 read server hello A" > > My install procedure is that from the Puppet Labs site: > http://projects.puppetlabs.com/projects/1/wiki/Puppet_Windows > > Watching the transaction via wireshark, communication is and is killed > very shortly after it starts, just over 0.1 seconds between the first > Syn and the last Rst. > > The Puppet Master receives the client''s certificate. I am also able to > sign the certificate, which does not alter the behavior of puppet on the > client. I can not confirm it, but it took several times running the > Puppet Agent for the system''s SSL certificate to reach the point where > "puppetca --list" would display it. The Puppet Master is running Puppet > version 2.6.2-5. > > I have a second, new Windows 7 system, using the same software versions, > has no issue connecting to the Puppet Master. > > In a thread titled "SSH port forwarding" from 28 March 2011(?) > (http://comments.gmane.org/gmane.comp.sysutils.puppet.user/29632) it was > mentioned that the Puppet Master has a TLS timeout of 0.1 seconds. > > Is this a general issue with Puppet and Windows XP? > Is there a way to increase the TLS timeout on the Puppet Master? > Alternatively, is there a method to confirm that the TLS timeout is my > problem? > > Thank you, > Andrew >Upgrade your master. It sounds like you''re running into #4762[0], which was fixed in 2.7.3. Also, you should be running a version of the master that is >= the version of your newest agent. [0] http://projects.puppetlabs.com/issues/4762 -- Jacob Helwig http://about.me/jhelwig
Andrew Ring
2011-Nov-09 23:22 UTC
Re: [Puppet Users] WinXP Agent SSL issue/Increase TLS timeout on Puppet Master?
Spot on. Thank you. On 11/09/2011 01:18 PM, Jacob Helwig wrote:> On 2011-11-09 12:51 , Andrew Ring wrote: >> Greetings, >> >> While using puppet 2.7.6-266 on a very old Windows XP system (I know >> WinXP is not supported by puppet), I have run into an error when running >> Puppet Agent: >> "err: Could not request certificate: SSL_connect SYSCALL returned=5 >> errno=0 state=SSLv2/v3 read server hello A" >> >> My install procedure is that from the Puppet Labs site: >> http://projects.puppetlabs.com/projects/1/wiki/Puppet_Windows >> >> Watching the transaction via wireshark, communication is and is killed >> very shortly after it starts, just over 0.1 seconds between the first >> Syn and the last Rst. >> >> The Puppet Master receives the client''s certificate. I am also able to >> sign the certificate, which does not alter the behavior of puppet on the >> client. I can not confirm it, but it took several times running the >> Puppet Agent for the system''s SSL certificate to reach the point where >> "puppetca --list" would display it. The Puppet Master is running Puppet >> version 2.6.2-5. >> >> I have a second, new Windows 7 system, using the same software versions, >> has no issue connecting to the Puppet Master. >> >> In a thread titled "SSH port forwarding" from 28 March 2011(?) >> (http://comments.gmane.org/gmane.comp.sysutils.puppet.user/29632) it was >> mentioned that the Puppet Master has a TLS timeout of 0.1 seconds. >> >> Is this a general issue with Puppet and Windows XP? >> Is there a way to increase the TLS timeout on the Puppet Master? >> Alternatively, is there a method to confirm that the TLS timeout is my >> problem? >> >> Thank you, >> Andrew >> > > Upgrade your master. It sounds like you''re running into #4762[0], which > was fixed in 2.7.3. Also, you should be running a version of the master > that is>= the version of your newest agent. > > [0] http://projects.puppetlabs.com/issues/4762 >-- ==================================Andrew Ring System Administrator Kuriyan Laboratory http://jkweb.qb3.berkeley.edu/ Doudna Laboratory http://rna.berkeley.edu/ University of California, Berkeley Office: 542 Stanley Hall Shipping: 176 Stanley Hall, QB3 Berkeley, CA 94720-3220 tel: (510) 643 0166 fax: (510) 643 2352 =================================== -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.