Bug#924005: client certificate verification regression with puppetdb
Stefan Bühler
stefan.buehler at tik.uni-stuttgart.de
Fri Mar 8 08:59:14 GMT 2019
Package: jetty9
Version: 9.4.15-1
Severity: important
Hi.
The update (libjetty9-java and libjetty9-extra-java) to 9.4.15-1 broke
our puppetdb setup; a downgrade to 9.4.14-1 fixes the issue.
I can't see any (new/useful/related) error message in the puppetdb log.
The error message from our puppetmaster is:
Error connecting to puppet-db.XXX on 8081 at route /pdb/cmd/v1?..., error message received was 'SSL_connect returned=1 errno=0 state=error: sslv3 alert certificate unknown'. Failing over to the next PuppetDB server_url in the 'server_urls' list
openssl s_client -quiet ... shows:
---
depth=1 CN = Puppet CA: puppetmaster.XXX
verify return:1
depth=0 CN = puppet-db.XXX
verify return:1
139863914905664:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1407:SSL alert number 46
---
(The same s_client call works with a jetty downgrade to 9.4.14-1, so the
client certificate arguments should be good.)
---
Installed jetty and puppet packages:
ii libjetty9-extra-java 9.4.15-1 all Java servlet engine and webserver -- extra libraries
ii libjetty9-java 9.4.15-1 all Java servlet engine and webserver -- core libraries
ii libtrapperkeeper-webserver-jetty9-clojure 1.7.0-2 all trapperkeeper webserver service
ii libpuppetlabs-http-client-clojure 0.9.0-1 all Clojure wrapper around libhttpasyncclient-java
ii libpuppetlabs-i18n-clojure 0.8.0-1 all Clojure i18n library
ii libpuppetlabs-ring-middleware-clojure 1.0.0-2 all common Ring middleware for Puppet projects
ii puppet 5.5.10-1 all configuration management system
ii puppetdb 6.2.0-3 all Puppet data warehouse
---
cheers,
Stefan
--
Stefan Bühler Mail/xmpp: stefan.buehler at tik.uni-stuttgart.de
Netze und Kommunikationssysteme der Universität Stuttgart (NKS)
https://www.tik.uni-stuttgart.de/ Telefon: +49 711 685 60854
More information about the pkg-java-maintainers
mailing list