Puppet users - Aug 2013 - Puppetdb [io.nio] javax.net.ssl.SSLHandshakeException: null cert chain

Hi,

I''m trying to layer out PE3 as follows;

1) Puppet console / Active CA (autosigning)
2) Puppet Master (non-CA)
3) PuppetDB
4) Puppet Client - for testing
5) HAProxy presenting the puppet service address, forwarding 443 to the
console, and 8140 to the PM. (Let''s not worry about MCollective yet)

The PM and PuppetDB both had their certs signed against the Console / CA,
and both can do a puppet agent -t

I''ve setup the SSL proxying on the PM1 as follows;

#############
# Enable SSLProxyEngine for proxying SSL connections
    SSLProxyEngine On
# Disable PassengerHighPerformance because of proxy_http -%>
    PassengerHighPerformance Off
# Add the mod_proxy redirect -%>
    ProxyPassMatch ^/([^/]+/certificate.*)$
https://puppetcon.puppetlabs.net:8140/$1
#    ProxyPassReverse ^/([^/]+/certificate.*)$
https://puppetcon.puppetlabs.net:8140/$1
#############

When I initially run puppet agent -t on the client, the CSR is generated,
and signed on the CA. There are errors all subsequent runs from the client;

[root@puppetclient puppet]# /opt/puppet/bin/puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: Error 400 on SERVER: Could not retrieve facts for
puppetclient.puppetlabs.net: Failed to find facts from PuppetDB at
puppetdb.puppetlabs.net:8081: SSL_connect SYSCALL returned=5 errno=0
state=SSLv3 read finished A
Info: Retrieving plugin
Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/puppet_vardir.rb
( snip)
Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/custom_auth_conf.rb
Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/concat_basedir.rb
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Failed to submit ''replace facts'' command for
puppetclient.puppetlabs.net to
PuppetDB at puppetdb.puppetlabs.net:8081: SSL_connect SYSCALL returned=5
errno=0 state=SSLv3 read finished A
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

The error appears to be an SSL issue associated with talking to PuppetDB as
per the following entry in the puppetdb.log file.

[io.nio] javax.net.ssl.SSLHandshakeException: null cert chain

My java/jre stuff currently installed is as follows;

root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep jre
rc  openjdk-6-jre-headless            6b27-1.12.6-1ubuntu0.12.04.2 OpenJDK
Java runtime, using Hotspot JIT (headless)
rc  openjdk-7-jre-headless            7u25-2.3.10-1ubuntu0.12.04.2 OpenJDK
Java runtime, using Hotspot JIT (headless)
root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep java
rc  ca-certificates-java              20110912ubuntu6              Common
CA certificates (JKS keystore)
ii  java-common                       0.43ubuntu2                  Base of
all Java packages
ii  pe-java                           1.7.0.19-1puppet1            OpenJDK
Development Kit (JDK)
ii  tzdata-java                       2012e-0ubuntu0.12.04.1       time
zone and daylight-saving time data for use by java runtimes
root@puppetdb:/var/log/pe-puppetdb#

JAVA_HOME, or any of this sort of variable is not set in my env.

I did see this one which talks about the issue, but no resolutions?
https://groups.google.com/forum/#!msg/puppet-users/iD3gYQPDH2Q/zhASUzRhK7EJ

Any assistance would be greatly appreciated!

Regs,

Stephen

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Hmmmm....an outstanding bug -  http://projects.puppetlabs.com/issues/20838

Stephen

On Tuesday, 27 August 2013 17:45:28 UTC+10, Stephen Wallace
wrote:
>
> Hi,
>
> I''m trying to layer out PE3 as follows;
>
> 1) Puppet console / Active CA (autosigning)
> 2) Puppet Master (non-CA)
> 3) PuppetDB
> 4) Puppet Client - for testing
> 5) HAProxy presenting the puppet service address, forwarding 443 to the 
> console, and 8140 to the PM. (Let''s not worry about MCollective
yet)
>
> The PM and PuppetDB both had their certs signed against the Console / CA, 
> and both can do a puppet agent -t
>
> I''ve setup the SSL proxying on the PM1 as follows;
>
> #############
> # Enable SSLProxyEngine for proxying SSL connections
>     SSLProxyEngine On
> # Disable PassengerHighPerformance because of proxy_http -%>
>     PassengerHighPerformance Off
> # Add the mod_proxy redirect -%>
>     ProxyPassMatch ^/([^/]+/certificate.*)$ 
> https://puppetcon.puppetlabs.net:8140/$1
> #    ProxyPassReverse ^/([^/]+/certificate.*)$ 
> https://puppetcon.puppetlabs.net:8140/$1
> #############
>
> When I initially run puppet agent -t on the client, the CSR is generated, 
> and signed on the CA. There are errors all subsequent runs from the client;
>
> [root@puppetclient puppet]# /opt/puppet/bin/puppet agent -t
> Warning: Unable to fetch my node definition, but the agent run will 
> continue:
> Warning: Error 400 on SERVER: Could not retrieve facts for 
> puppetclient.puppetlabs.net: Failed to find facts from PuppetDB at 
> puppetdb.puppetlabs.net:8081: SSL_connect SYSCALL returned=5 errno=0 
> state=SSLv3 read finished A
> Info: Retrieving plugin
> Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/puppet_vardir.rb
> ( snip) 
> Info: Loading facts in 
> /var/opt/lib/pe-puppet/lib/facter/custom_auth_conf.rb
> Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/concat_basedir.rb
> Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
> Failed to submit ''replace facts'' command for
puppetclient.puppetlabs.netto PuppetDB at
> puppetdb.puppetlabs.net:8081: SSL_connect SYSCALL returned=5 errno=0 
> state=SSLv3 read finished A
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
>
> The error appears to be an SSL issue associated with talking to PuppetDB 
> as per the following entry in the puppetdb.log file.
>
> [io.nio] javax.net.ssl.SSLHandshakeException: null cert chain
>
> My java/jre stuff currently installed is as follows;
>
> root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep jre
> rc  openjdk-6-jre-headless            6b27-1.12.6-1ubuntu0.12.04.2 OpenJDK 
> Java runtime, using Hotspot JIT (headless)
> rc  openjdk-7-jre-headless            7u25-2.3.10-1ubuntu0.12.04.2 OpenJDK 
> Java runtime, using Hotspot JIT (headless)
> root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep java
> rc  ca-certificates-java              20110912ubuntu6              Common 
> CA certificates (JKS keystore)
> ii  java-common                       0.43ubuntu2                  Base of 
> all Java packages
> ii  pe-java                           1.7.0.19-1puppet1            OpenJDK 
> Development Kit (JDK)
> ii  tzdata-java                       2012e-0ubuntu0.12.04.1       time 
> zone and daylight-saving time data for use by java runtimes
> root@puppetdb:/var/log/pe-puppetdb# 
>
> JAVA_HOME, or any of this sort of variable is not set in my env.
>
> I did see this one which talks about the issue, but no resolutions?
> https://groups.google.com/forum/#!msg/puppet-users/iD3gYQPDH2Q/zhASUzRhK7EJ
>
> Any assistance would be greatly appreciated!
>
> Regs,
>
> Stephen
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Try this and see, It might help.
        
        0) Stop puppetdb
1) remove PuppetDB''s SSL directory entirely (usually /etc/puppetdb/ssl)
2) make sure that the agent on the puppetdb machine can run successfully 
against the master (puppet agent --test, sounds like you''ve already
done
this.
3) Run the puppetdb-ssl-setup script (which should be in your sbin 
directory)
4) Restart puppetdb

Regards
Sai.

On Tuesday, August 27, 2013 8:58:27 PM UTC-4, Stephen Wallace
wrote:
>
> Hmmmm....an outstanding bug -  http://projects.puppetlabs.com/issues/20838
>
> Stephen
>
> On Tuesday, 27 August 2013 17:45:28 UTC+10, Stephen Wallace wrote:
>>
>> Hi,
>>
>> I''m trying to layer out PE3 as follows;
>>
>> 1) Puppet console / Active CA (autosigning)
>> 2) Puppet Master (non-CA)
>> 3) PuppetDB
>> 4) Puppet Client - for testing
>> 5) HAProxy presenting the puppet service address, forwarding 443 to the
>> console, and 8140 to the PM. (Let''s not worry about
MCollective yet)
>>
>> The PM and PuppetDB both had their certs signed against the Console /
CA,
>> and both can do a puppet agent -t
>>
>> I''ve setup the SSL proxying on the PM1 as follows;
>>
>> #############
>> # Enable SSLProxyEngine for proxying SSL connections
>>     SSLProxyEngine On
>> # Disable PassengerHighPerformance because of proxy_http -%>
>>     PassengerHighPerformance Off
>> # Add the mod_proxy redirect -%>
>>     ProxyPassMatch ^/([^/]+/certificate.*)$ 
>> https://puppetcon.puppetlabs.net:8140/$1
>> #    ProxyPassReverse ^/([^/]+/certificate.*)$ 
>> https://puppetcon.puppetlabs.net:8140/$1
>> #############
>>
>> When I initially run puppet agent -t on the client, the CSR is
generated,
>> and signed on the CA. There are errors all subsequent runs from the
client;
>>
>> [root@puppetclient puppet]# /opt/puppet/bin/puppet agent -t
>> Warning: Unable to fetch my node definition, but the agent run will 
>> continue:
>> Warning: Error 400 on SERVER: Could not retrieve facts for 
>> puppetclient.puppetlabs.net: Failed to find facts from PuppetDB at 
>> puppetdb.puppetlabs.net:8081: SSL_connect SYSCALL returned=5 errno=0 
>> state=SSLv3 read finished A
>> Info: Retrieving plugin
>> Info: Loading facts in
/var/opt/lib/pe-puppet/lib/facter/puppet_vardir.rb
>> ( snip) 
>> Info: Loading facts in 
>> /var/opt/lib/pe-puppet/lib/facter/custom_auth_conf.rb
>> Info: Loading facts in
/var/opt/lib/pe-puppet/lib/facter/concat_basedir.rb
>> Error: Could not retrieve catalog from remote server: Error 400 on 
>> SERVER: Failed to submit ''replace facts'' command for 
>> puppetclient.puppetlabs.net to PuppetDB at
puppetdb.puppetlabs.net:8081:
>> SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
>> Warning: Not using cache on failed catalog
>> Error: Could not retrieve catalog; skipping run
>>
>> The error appears to be an SSL issue associated with talking to
PuppetDB
>> as per the following entry in the puppetdb.log file.
>>
>> [io.nio] javax.net.ssl.SSLHandshakeException: null cert chain
>>
>> My java/jre stuff currently installed is as follows;
>>
>> root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep jre
>> rc  openjdk-6-jre-headless            6b27-1.12.6-1ubuntu0.12.04.2 
>> OpenJDK Java runtime, using Hotspot JIT (headless)
>> rc  openjdk-7-jre-headless            7u25-2.3.10-1ubuntu0.12.04.2 
>> OpenJDK Java runtime, using Hotspot JIT (headless)
>> root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep java
>> rc  ca-certificates-java              20110912ubuntu6             
Common
>> CA certificates (JKS keystore)
>> ii  java-common                       0.43ubuntu2                  Base
>> of all Java packages
>> ii  pe-java                           1.7.0.19-1puppet1            
>> OpenJDK Development Kit (JDK)
>> ii  tzdata-java                       2012e-0ubuntu0.12.04.1       time
>> zone and daylight-saving time data for use by java runtimes
>> root@puppetdb:/var/log/pe-puppetdb# 
>>
>> JAVA_HOME, or any of this sort of variable is not set in my env.
>>
>> I did see this one which talks about the issue, but no resolutions?
>>
>>
https://groups.google.com/forum/#!msg/puppet-users/iD3gYQPDH2Q/zhASUzRhK7EJ
>>
>> Any assistance would be greatly appreciated!
>>
>> Regs,
>>
>> Stephen
>>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

So I''ve been trying to get to the bottom of this one for a while, but
haven''t found anyone who is being affected to work with me properly
since it first occured to get to the bottom of the problem. If you
want to jump on Freenode IRC and contact me: ken_barber we can talk
further. This problem is far too fiddly to talk through on
puppet-users I''ve found.

ken.

On Tue, Sep 24, 2013 at 7:00 PM, Sai_Emc <saiprasadt@gmail.com>
wrote:
> Try this and see, It might help.
>
>         0) Stop puppetdb
> 1) remove PuppetDB''s SSL directory entirely (usually
/etc/puppetdb/ssl)
> 2) make sure that the agent on the puppetdb machine can run successfully
> against the master (puppet agent --test, sounds like you''ve
already done
> this.
> 3) Run the puppetdb-ssl-setup script (which should be in your sbin
> directory)
> 4) Restart puppetdb
>
> Regards
> Sai.
>
> On Tuesday, August 27, 2013 8:58:27 PM UTC-4, Stephen Wallace wrote:
>>
>> Hmmmm....an outstanding bug - 
http://projects.puppetlabs.com/issues/20838
>>
>> Stephen
>>
>> On Tuesday, 27 August 2013 17:45:28 UTC+10, Stephen Wallace wrote:
>>>
>>> Hi,
>>>
>>> I''m trying to layer out PE3 as follows;
>>>
>>> 1) Puppet console / Active CA (autosigning)
>>> 2) Puppet Master (non-CA)
>>> 3) PuppetDB
>>> 4) Puppet Client - for testing
>>> 5) HAProxy presenting the puppet service address, forwarding 443 to
the
>>> console, and 8140 to the PM. (Let''s not worry about
MCollective yet)
>>>
>>> The PM and PuppetDB both had their certs signed against the Console
/ CA,
>>> and both can do a puppet agent -t
>>>
>>> I''ve setup the SSL proxying on the PM1 as follows;
>>>
>>> #############
>>> # Enable SSLProxyEngine for proxying SSL connections
>>>     SSLProxyEngine On
>>> # Disable PassengerHighPerformance because of proxy_http -%>
>>>     PassengerHighPerformance Off
>>> # Add the mod_proxy redirect -%>
>>>     ProxyPassMatch ^/([^/]+/certificate.*)$
>>> https://puppetcon.puppetlabs.net:8140/$1
>>> #    ProxyPassReverse ^/([^/]+/certificate.*)$
>>> https://puppetcon.puppetlabs.net:8140/$1
>>> #############
>>>
>>> When I initially run puppet agent -t on the client, the CSR is
generated,
>>> and signed on the CA. There are errors all subsequent runs from the
client;
>>>
>>> [root@puppetclient puppet]# /opt/puppet/bin/puppet agent -t
>>> Warning: Unable to fetch my node definition, but the agent run will
>>> continue:
>>> Warning: Error 400 on SERVER: Could not retrieve facts for
>>> puppetclient.puppetlabs.net: Failed to find facts from PuppetDB at
>>> puppetdb.puppetlabs.net:8081: SSL_connect SYSCALL returned=5
errno=0
>>> state=SSLv3 read finished A
>>> Info: Retrieving plugin
>>> Info: Loading facts in
/var/opt/lib/pe-puppet/lib/facter/puppet_vardir.rb
>>> ( snip)
>>> Info: Loading facts in
>>> /var/opt/lib/pe-puppet/lib/facter/custom_auth_conf.rb
>>> Info: Loading facts in
>>> /var/opt/lib/pe-puppet/lib/facter/concat_basedir.rb
>>> Error: Could not retrieve catalog from remote server: Error 400 on
>>> SERVER: Failed to submit ''replace facts'' command
for
>>> puppetclient.puppetlabs.net to PuppetDB at
puppetdb.puppetlabs.net:8081:
>>> SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
>>> Warning: Not using cache on failed catalog
>>> Error: Could not retrieve catalog; skipping run
>>>
>>> The error appears to be an SSL issue associated with talking to
PuppetDB
>>> as per the following entry in the puppetdb.log file.
>>>
>>> [io.nio] javax.net.ssl.SSLHandshakeException: null cert chain
>>>
>>> My java/jre stuff currently installed is as follows;
>>>
>>> root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep jre
>>> rc  openjdk-6-jre-headless            6b27-1.12.6-1ubuntu0.12.04.2
>>> OpenJDK Java runtime, using Hotspot JIT (headless)
>>> rc  openjdk-7-jre-headless            7u25-2.3.10-1ubuntu0.12.04.2
>>> OpenJDK Java runtime, using Hotspot JIT (headless)
>>> root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep java
>>> rc  ca-certificates-java              20110912ubuntu6             
Common
>>> CA certificates (JKS keystore)
>>> ii  java-common                       0.43ubuntu2                 
Base
>>> of all Java packages
>>> ii  pe-java                           1.7.0.19-1puppet1
>>> OpenJDK Development Kit (JDK)
>>> ii  tzdata-java                       2012e-0ubuntu0.12.04.1      
time
>>> zone and daylight-saving time data for use by java runtimes
>>> root@puppetdb:/var/log/pe-puppetdb#
>>>
>>> JAVA_HOME, or any of this sort of variable is not set in my env.
>>>
>>> I did see this one which talks about the issue, but no resolutions?
>>>
>>>
https://groups.google.com/forum/#!msg/puppet-users/iD3gYQPDH2Q/zhASUzRhK7EJ
>>>
>>> Any assistance would be greatly appreciated!
>>>
>>> Regs,
>>>
>>> Stephen
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.