Puppet users - Jun 2012 - "decryption failed or bad record mac" errors

I inherited an old installation (0.24) that''s been trouble-free until
recently, when I started getting these error messages from a single
machine:

Failed to retrieve current state of resource: Certificates were not
trusted: SSL_read:: decryption failed or bad record mac Could not
describe /tomcat/ROOT.xml: Certificates were not trusted: SSL_read::
decryption failed or bad record mac

I don''t find evidence of a hardware problem on the machine. The next
puppet run succeeds; the problem happens once every few days. Anyone
have pointers on how to troubleshoot this or ideas on what the issue
could be?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Jun 11, 2012 at 11:34 AM,  <maillists0@gmail.com>
wrote:
> I inherited an old installation (0.24) that''s been trouble-free
until
> recently, when I started getting these error messages from a single
> machine:
>
> Failed to retrieve current state of resource: Certificates were not
> trusted: SSL_read:: decryption failed or bad record mac Could not
> describe /tomcat/ROOT.xml: Certificates were not trusted: SSL_read::
> decryption failed or bad record mac
>
> I don''t find evidence of a hardware problem on the machine. The
next
> puppet run succeeds; the problem happens once every few days. Anyone
> have pointers on how to troubleshoot this or ideas on what the issue
> could be?
This error is probably referring to the message authentication code
[1], not the media access control address [2].

How is your puppet master configured?  Have any recent software
updates changed the OpenSSL libraries on your systems?

[1] http://en.wikipedia.org/wiki/Message_authentication_code
[2] http://en.wikipedia.org/wiki/MAC_address

-Jeff

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

:
>> I inherited an old installation (0.24) that''s been
trouble-free until
>> recently, when I started getting these error messages from a single
>> machine:
>>
>> Failed to retrieve current state of resource: Certificates were not
>> trusted: SSL_read:: decryption failed or bad record mac Could not
>> describe /tomcat/ROOT.xml: Certificates were not trusted: SSL_read::
>> decryption failed or bad record mac
>>
--snip--
>
> This error is probably referring to the message authentication code
> [1], not the media access control address [2].
>
> How is your puppet master configured?  Have any recent software
> updates changed the OpenSSL libraries on your systems?
>
> [1] http://en.wikipedia.org/wiki/Message_authentication_code
> [2] http://en.wikipedia.org/wiki/MAC_address
>
> -Jeff
Thanks for that. I did not know about the Message Authentication Code,
which makes sense in this case.

Nothing has changed on these machines for years and I just verified
that nothing has recently been updated. I''m still digging around the
logs, nothing jumps out yet.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

It could be your CA certificate has expired. Could you paste the output of
openssl x509 -text -noout -in /etc/puppet/ssl/ca.pem ?

-- 
Jeff McCune


On Monday, June 11, 2012 at 12:59 PM, maillists0@gmail.com wrote:
> :
> > > I inherited an old installation (0.24) that''s been
trouble-free until
> > > recently, when I started getting these error messages from a
single
> > > machine:
> > > 
> > > Failed to retrieve current state of resource: Certificates were
not
> > > trusted: SSL_read:: decryption failed or bad record mac Could not
> > > describe /tomcat/ROOT.xml: Certificates were not trusted:
SSL_read::
> > > decryption failed or bad record mac
> > > 
> > 
> 
> --snip--
> > 
> > This error is probably referring to the message authentication code
> > [1], not the media access control address [2].
> > 
> > How is your puppet master configured?  Have any recent software
> > updates changed the OpenSSL libraries on your systems?
> > 
> > [1] http://en.wikipedia.org/wiki/Message_authentication_code
> > [2] http://en.wikipedia.org/wiki/MAC_address
> > 
> > -Jeff
> 
> Thanks for that. I did not know about the Message Authentication Code,
> which makes sense in this case.
> 
> Nothing has changed on these machines for years and I just verified
> that nothing has recently been updated. I''m still digging around
the
> logs, nothing jumps out yet.
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
> 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Jun 11, 2012 at 4:50 PM, Jeff McCune <jeff@puppetlabs.com>
wrote:
> It could be your CA certificate has expired. Could you paste the output of
> openssl x509 -text -noout -in /etc/puppet/ssl/ca.pem ?
>
> --
Thanks, Jeff.

Since this is a work cert I''m not gonna post the whole thing, but I
think this is the part we''re looking for, correct? If not,
I''ll
sanitize and post it.

Validity
            Not Before: Dec 27 21:38:24 2009 GMT
            Not After : Dec 26 21:38:24 2014 GMT

It looks like it doesn''t expire until 2014.

I don''t understand what would cause this to happen only occasionally
and on one machine. Wouldn''t you expect to see it consistently and
across all machines if the cert had expired?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Jun 11, 2012 at 2:10 PM,  <maillists0@gmail.com>
wrote:
> On Mon, Jun 11, 2012 at 4:50 PM, Jeff McCune <jeff@puppetlabs.com>
wrote:
>> It could be your CA certificate has expired. Could you paste the output
of
>> openssl x509 -text -noout -in /etc/puppet/ssl/ca.pem ?
>>
>> --
>
> Thanks, Jeff.
>
> Since this is a work cert I''m not gonna post the whole thing, but
I
> think this is the part we''re looking for, correct? If not,
I''ll
> sanitize and post it.
>
> Validity
>            Not Before: Dec 27 21:38:24 2009 GMT
>            Not After : Dec 26 21:38:24 2014 GMT
>
> It looks like it doesn''t expire until 2014.
>
> I don''t understand what would cause this to happen only
occasionally
> and on one machine. Wouldn''t you expect to see it consistently and
> across all machines if the cert had expired?
Ah, yes.  I''m not sure what the issue is then.

Perhaps just re-issue the certificate for that one machine and see if
that fixes the problem?

-Jeff

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.