Bug #1525

local host fails to sync with mongrel/apache2

Added by martin krafft over 3 years ago. Updated almost 2 years ago.

Status:Closed Start date:08/21/2008
Priority:Normal Due date:
Assignee:- % Done:

0%
Category:mongrel
Target version:-
Affected Puppet version:0.25.4 Branch:
Keywords:
Votes: 0

Description

After switching to mongrel (and recreating the certificate for the local puppetd), the local puppetd won’t sync with puppet anymore:

err: /File[/var/lib/puppet/lib]: Failed to generate additional resources during transaction: Certificates were not trusted: tlsv1 alert decrypt error

All other hosts connecting via the network work fine.

It was suggested on IRC to comment SSLCARevocationFile in the apache2 config, but this did not make the problem go away.

openssl s_client -connect puppetmaster.madduck.net:8140 doesn’t output anything different when run locally.

openssl crl -in /var/lib/puppet/ssl/ca/ca_crl.pem -text seems happy. openssl x509 -in /var/lib/puppet/ssl/certs/vera.madduck.net.pem also seems happy.

An strace file of the puppetd run is attached.

Local puppet.conf is:

[puppetd] server=puppetmaster.madduck.net

[puppetmasterd] certname=puppetmaster.madduck.net

puppetd.strace.bz2 - strace of the puppetd run (126 kB) martin krafft, 08/21/2008 03:35 pm

Related issues

related to Puppet - Bug #4226: Puppet ca_name configuration setting should not default t... Closed 07/13/2010
duplicates Puppet - Bug #3770: Puppet SSL verfication is broken with multiple chained ce... Accepted 04/22/2010 04/22/2010

History

#1
Updated by micah - over 3 years ago

I have had a similar problem using nginx, new nodes aren’t able to get a CSR properly and in order to get them setup, I will kill nginx and the mongrels and instead run puppetmaster —no-daemonize -v and then run the node to get the certificate setup, puppetca it and then once everything is set, re-run the mongrels and nginx. I’d like to switch back to apache/mongrel to see if this changes anything.

#2
Updated by martin krafft over 3 years ago

Micah’s solution does work for me. It’s ugly but keeps me going for now.

#3
Updated by AJ Christensen over 3 years ago

For nginx you need to run a seperate instance on another port (e.g. 8141) for doing the CSR stuff, and —ca_port 8141 for new clients.

The tlsv1 decrypt thing I’ve seen w/ apache before, and that was due to the CRL

#4
Updated by martin krafft over 3 years ago

I cannot seem to reply or edit at the moment (probably javascript issues), so here’s another comment:

Micah’s solution works and lets me sign new certificates; however, on every run of puppetd, it (‘puppetd’ in the logs) complains about the tlsvs1 verification error and no actual configuration will happen since presumably it cannot establish the authenticity of the server.

#5
Updated by micah - over 3 years ago

For nginx you need to run a seperate instance on another port (e.g. 8141) for doing the CSR stuff, and —ca_port 8141 for new clients.

This is correct, once I tweaked my nginx config to be like the one on the wiki, with a 8141 port running, then this works.

#6
Updated by James Turnbull over 3 years ago

  • Category set to mongrel
  • Status changed from Unreviewed to Rejected

I think this is a configuration fix rather than a Puppet problem…

#7
Updated by martin krafft over 3 years ago

  • Status changed from Rejected to Re-opened

I don’t see how this is a configuration issue as my configuration matches what’s on the web. Also every remote hosts gets the configuration fine, it’s only the puppetd on the puppetmaster host itself having the problem.

#8
Updated by José Miguel Parrella Romero over 3 years ago

This problem is also present on 0.24.5 (Debian Lenny) — I’ve recently deployed Apache/Mongrel in front of my puppetmasterd, and now the puppetd on the puppetmasterd host can’t sync if CRL is enabled:

Sep  6 16:45:07 host puppetd[23706]: Could not retrieve catalog: Certificates were not trusted: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert decrypt error

All other (two, ATM) puppetd’s can happily connect to the puppetmasterd using Apache as their proxy. I used the second Apache configuration at http://reductivelabs.com/trac/puppet/wiki/UsingMongrel for this.

In my case, if I comment SSLCARevocationFile it starts working.

This is a snippet of my Apache configuration for this:

SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLCertificateFile /var/lib/puppet/ssl/certs/host.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/host.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth  1
SSLOptions +StdEnvVars
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
<Location />
   Order allow,deny
   Allow from all
</Location>
ProxyPass / http://127.0.0.1:18140/
ProxyPassReverse / http://127.0.0.1:18140/
ProxyPreserveHost on

Thanks for your time!

#9
Updated by martin krafft about 2 years ago

I was just about to close this bug not having seen this problem in months when it re-appeared out of the blue (I did not make any changes whatsoever). Still, commenting out SSLCARevocationFile in the apache.conf makes it all work. The CRL still has no revoked certificates, according to 

openssl crl -text -noout -in /var/lib/puppet/ssl/ca/ca_crl.pem
.

#10
Updated by martin krafft about 2 years ago

  • Affected Puppet version changed from 0.24.4 to 0.25.4

#11
Updated by James Turnbull almost 2 years ago

  • Status changed from Re-opened to Closed

Closing this is favour of the other CRL is broken ticket – #3770.

Also available in: Atom PDF