Thomas Bétrancourt
2012-Apr-22 09:19 UTC
[Puppet Users] centos 6.2 - puppet 2.7.13 - SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol version
Hi! I''ve installed puppetmaster 2.7.13 on a server with CentOS 6.2 with a rpm supplied by yum.puppetlabs.com. I''ve setup a apache2 vhost with mod_ssl and passenger. The server is configured to autosign the cert requests. The agent installed on the puppetmaster''s server works fine. I''ve a second agent on a server which can sync with the server too. This server is on CentOS 6.2 too. This is a KVM hypervisor helped by the libvirt. All virtual machines are configured to join a network bridge. Some iptables rules forward the traffic from the VM to the world (and vice-et-versa). The world can connect to the VM (i.e. SSH) and the VM can go to the world. On the hypervisor, i''ve a VM on CentOS 6.2 too. The DNS name ''puppet'' is resolved by the hypervisor (which has a dnsmasq server). When i''m launching the puppet agent for the first time, a cert is generated by the server. The client has now the certs and key on its filesystem. But when the client is trying to sync with the server, i''ve got the following output : [root@machine-1 ~]# puppet agent --test info: Creating a new SSL key for machine-1.test.betrancourt.net warning: peer certificate won''t be verified in this SSL session info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session info: Creating a new SSL certificate request for machine-1.test.betrancourt.net info: Certificate Request fingerprint (md5): BA:1B:67:81:34:11:1B:98:3D:38:FB:1F:21:F4:B4:5E warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session info: Caching certificate for machine-1.test.betrancourt.net err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol version warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol version [root@machine-1 ~]# The client cert is into the server cert db : [root@medion ~]# puppetca list --all | grep machine-1 + machine-1.test.betrancourt.net (1C:78:20:02:EB:BB:B8:7B:62:E6:80:ED:A4:06:9D:92) In puppet.conf, on the server, i''ve the following content: [main] logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig pluginsync = true [master] autosign = true ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY My apache vhost is configured like this: <VirtualHost 192.168.1.60:8140> SSLEngine on SSLProtocol -all +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/medion.chatillon.betrancourt.net.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/medion.chatillon.betrancourt.net.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem # CRL checking should be enabled; if you have problems with Apache complaining about the CRL, disable the next line SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars # The following client headers allow the same configuration to work with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e PassengerHighPerformance on PassengerStatThrottleRate 120 PassengerUseGlobalQueue on RackAutoDetect Off RailsAutoDetect Off RackBaseURI / DocumentRoot /etc/puppet/puppetmaster/public <Directory /etc/puppet/puppetmaster> Options None AllowOverride None Order allow,deny allow from all </Directory> ErrorLog /var/log/httpd/puppetmaster_error.log CustomLog /var/log/httpd/puppetmaster_access.log combined </VirtualHost> On the clients, the puppet.conf has the following content: [main] logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig pluginsync = true I don''t know how solve this problem. I''ve read the puppet guides about ssl / apache / passenger. I don''t understand how some clients can use the server, and not only one of these... Thanks in advance for your support. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/REt9KRCixokJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Eric Sorenson
2012-Apr-24 17:49 UTC
[Puppet Users] Re: centos 6.2 - puppet 2.7.13 - SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol version
I suspect something is wrong with the underlying ssl libraries on the client with the problem. Does the output of ''rpm -qa | grep ssl'' on the non-working client look the same as the client which works? How about ldd -r `rpm -ql ruby-libs | grep openssl.so` ? On Sunday, April 22, 2012 2:19:27 AM UTC-7, Thomas Bétrancourt wrote:> > Hi! > > I''ve installed puppetmaster 2.7.13 on a server with CentOS 6.2 with a rpm > supplied by yum.puppetlabs.com. > > I''ve setup a apache2 vhost with mod_ssl and passenger. The server is > configured to autosign the cert requests. > > The agent installed on the puppetmaster''s server works fine. I''ve a second > agent on a server which can sync with the server too. This server is on > CentOS 6.2 too. This is a KVM hypervisor helped by the libvirt. All virtual > machines are configured to join a network bridge. Some iptables rules > forward the traffic from the VM to the world (and vice-et-versa). The world > can connect to the VM (i.e. SSH) and the VM can go to the world. > > On the hypervisor, i''ve a VM on CentOS 6.2 too. The DNS name ''puppet'' is > resolved by the hypervisor (which has a dnsmasq server). When i''m launching > the puppet agent for the first time, a cert is generated by the server. The > client has now the certs and key on its filesystem. But when the client is > trying to sync with the server, i''ve got the following output : > [root@machine-1 ~]# puppet agent --test > info: Creating a new SSL key for machine-1.test.betrancourt.net > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > info: Creating a new SSL certificate request for > machine-1.test.betrancourt.net > info: Certificate Request fingerprint (md5): > BA:1B:67:81:34:11:1B:98:3D:38:FB:1F:21:F4:B4:5E > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for machine-1.test.betrancourt.net > err: Could not retrieve catalog from remote server: SSL_connect returned=1 > errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol > version > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 > read server session ticket A: tlsv1 alert protocol version > [root@machine-1 ~]# > > The client cert is into the server cert db : > [root@medion ~]# puppetca list --all | grep machine-1 > + machine-1.test.betrancourt.net > (1C:78:20:02:EB:BB:B8:7B:62:E6:80:ED:A4:06:9D:92) > > In puppet.conf, on the server, i''ve the following content: > [main] > logdir = /var/log/puppet > rundir = /var/run/puppet > ssldir = $vardir/ssl > > [agent] > classfile = $vardir/classes.txt > localconfig = $vardir/localconfig > pluginsync = true > > [master] > autosign = true > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > > My apache vhost is configured like this: > <VirtualHost 192.168.1.60:8140> > SSLEngine on > SSLProtocol -all +SSLv3 +TLSv1 > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > > SSLCertificateFile > /var/lib/puppet/ssl/certs/medion.chatillon.betrancourt.net.pem > SSLCertificateKeyFile > /var/lib/puppet/ssl/private_keys/medion.chatillon.betrancourt.net.pem > SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem > SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem > # CRL checking should be enabled; if you have problems with Apache > complaining about the CRL, disable the next line > SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem > SSLVerifyClient optional > SSLVerifyDepth 1 > SSLOptions +StdEnvVars > > # The following client headers allow the same configuration to work > with Pound. > RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e > > PassengerHighPerformance on > PassengerStatThrottleRate 120 > PassengerUseGlobalQueue on > RackAutoDetect Off > RailsAutoDetect Off > RackBaseURI / > > DocumentRoot /etc/puppet/puppetmaster/public > > <Directory /etc/puppet/puppetmaster> > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > > > ErrorLog /var/log/httpd/puppetmaster_error.log > CustomLog /var/log/httpd/puppetmaster_access.log combined > </VirtualHost> > > On the clients, the puppet.conf has the following content: > [main] > logdir = /var/log/puppet > rundir = /var/run/puppet > ssldir = $vardir/ssl > > [agent] > classfile = $vardir/classes.txt > localconfig = $vardir/localconfig > pluginsync = true > > I don''t know how solve this problem. I''ve read the puppet guides about ssl > / apache / passenger. I don''t understand how some clients can use the > server, and not only one of these... > > Thanks in advance for your support. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/3sjRRdIMp0cJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Christopher Wood
2012-Apr-24 17:55 UTC
Re: [Puppet Users] Re: centos 6.2 - puppet 2.7.13 - SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol version
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 I''ve seen that when the clocks on the two hosts were out of sync. Even when I brought the clocks back into sync I found that I had to regenerate the certs to get it working. master: puppet cert --clean (restart the puppetmaster) agent: (remove the certs) (restart the agent and get the new cert request signed) On Tue, Apr 24, 2012 at 10:49:00AM -0700, Eric Sorenson wrote:> I suspect something is wrong with the underlying ssl libraries on the > client with the problem. Does the output of ''rpm -qa | grep ssl'' on the > non-working client look the same as the client which works? How about > ldd -r `rpm -ql ruby-libs | grep openssl.so` > ? > > On Sunday, April 22, 2012 2:19:27 AM UTC-7, Thomas B�trancourt wrote: > > Hi! > > I''ve installed puppetmaster 2.7.13 on a server with CentOS 6.2 with a > rpm supplied by [1]yum.puppetlabs.com. > > I''ve setup a apache2 vhost with mod_ssl and passenger. The server is > configured to autosign the cert requests. > > The agent installed on the puppetmaster''s server works fine. I''ve a > second agent on a server which can sync with the server too. This server > is on CentOS 6.2 too. This is a KVM hypervisor helped by the libvirt. > All virtual machines are configured to join a network bridge. Some > iptables rules forward the traffic from the VM to the world (and > vice-et-versa). The world can connect to the VM (i.e. SSH) and the VM > can go to the world. > > On the hypervisor, i''ve a VM on CentOS 6.2 too. The DNS name ''puppet'' is > resolved by the hypervisor (which has a dnsmasq server). When i''m > launching the puppet agent for the first time, a cert is generated by > the server. The client has now the certs and key on its filesystem. But > when the client is trying to sync with the server, i''ve got the > following output : > [root@machine-1 ~]# puppet agent --test > info: Creating a new SSL key for [2]machine-1.test.betrancourt.net > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > info: Creating a new SSL certificate request for > [3]machine-1.test.betrancourt.net > info: Certificate Request fingerprint (md5): > BA:1B:67:81:34:11:1B:98:3D:38:FB:1F:21:F4:B4:5E > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for [4]machine-1.test.betrancourt.net > err: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert > protocol version > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 > read server session ticket A: tlsv1 alert protocol version > [root@machine-1 ~]# > > The client cert is into the server cert db : > [root@medion ~]# puppetca list --all | grep machine-1 > + [5]machine-1.test.betrancourt.net > (1C:78:20:02:EB:BB:B8:7B:62:E6:80:ED:A4:06:9D:92) > > In puppet.conf, on the server, i''ve the following content: > [main] > logdir = /var/log/puppet > rundir = /var/run/puppet > ssldir = $vardir/ssl > > [agent] > classfile = $vardir/classes.txt > localconfig = $vardir/localconfig > pluginsync = true > > [master] > autosign = true > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > > My apache vhost is configured like this: > <VirtualHost [6]192.168.1.60:8140> > SSLEngine on > SSLProtocol -all +SSLv3 +TLSv1 > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > > SSLCertificateFile > /var/lib/puppet/ssl/certs/medion.chatillon.betrancourt.net.pem > SSLCertificateKeyFile > /var/lib/puppet/ssl/private_keys/medion.chatillon.betrancourt.net.pem > SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem > SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem > # CRL checking should be enabled; if you have problems with Apache > complaining about the CRL, disable the next line > SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem > SSLVerifyClient optional > SSLVerifyDepth 1 > SSLOptions +StdEnvVars > > # The following client headers allow the same configuration to work > with Pound. > RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e > > PassengerHighPerformance on > PassengerStatThrottleRate 120 > PassengerUseGlobalQueue on > RackAutoDetect Off > RailsAutoDetect Off > RackBaseURI / > > DocumentRoot /etc/puppet/puppetmaster/public > > <Directory /etc/puppet/puppetmaster> > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > > ErrorLog /var/log/httpd/puppetmaster_error.log > CustomLog /var/log/httpd/puppetmaster_access.log combined > </VirtualHost> > > On the clients, the puppet.conf has the following content: > [main] > logdir = /var/log/puppet > rundir = /var/run/puppet > ssldir = $vardir/ssl > > [agent] > classfile = $vardir/classes.txt > localconfig = $vardir/localconfig > pluginsync = true > > I don''t know how solve this problem. I''ve read the puppet guides about > ssl / apache / passenger. I don''t understand how some clients can use > the server, and not only one of these... > > Thanks in advance for your support. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > [7]https://groups.google.com/d/msg/puppet-users/-/3sjRRdIMp0cJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > References > > Visible links > 1. http://yum.puppetlabs.com/ > 2. http://machine-1.test.betrancourt.net/ > 3. http://machine-1.test.betrancourt.net/ > 4. http://machine-1.test.betrancourt.net/ > 5. http://machine-1.test.betrancourt.net/ > 6. http://192.168.1.60:8140/ > 7. https://groups.google.com/d/msg/puppet-users/-/3sjRRdIMp0cJ-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.