[Pkg-puppet-devel] Bug#573416: server certificate name mismatch leads to obscure error

martin f krafft madduck at debian.org
Thu Mar 11 11:31:32 UTC 2010 

Package: puppet
Version: 0.25.4-2
Severity: wishlist
Forwarded: http://projects.reductivelabs.com/issues/3101
Tags: upstream

I encountered the situation where I was trying to connect to
a puppetmaster with a different hostname than its CN in the SSL
certificate. The error was rather obscure:

  err: Could not retrieve catalog from remote server: undefined
  method `closed?' for nil:NilClass

After ensuring that DNS was all properly configured and noticing
that the puppet --trace showed that the error was due to an
undefined socket object in puppet's HTTP request method (http.rb
— I tip my hat to ruby for even letting things get that far),
I tried ruby --debug and found:

  Exception `OpenSSL::SSL::SSLError' at
  /usr/lib/ruby/1.8/openssl/ssl.rb:123 - hostname was not match with
  the server certificate

Sure enough, changing the server hostname used by puppetd to match
the server's CN made the problem go away.

It would be nice if puppet could be a bit more helpful with error
reporting, and if Ruby could be fixed.

-- System Information:
Debian Release: squeeze/sid
Architecture: i386 (i686)

Kernel: Linux 2.6.33-2-686 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages puppet depends on:
ii  adduser                      3.112       add and remove users and groups
ii  facter                       1.5.7-1     a library for retrieving facts fro
ii  libopenssl-ruby              4.2         OpenSSL interface for Ruby
ii  libruby [libxmlrpc-ruby]     4.2         Libraries necessary to run Ruby 1.
ii  libshadow-ruby1.8            1.4.1-8     Interface of shadow password for R
ii  lsb-base                     3.2-23      Linux Standard Base 3.2 init scrip
ii  puppet-common                0.25.4-2    common files for puppet and puppet
ii  ruby1.8                      1.8.7.249-1 Interpreter of object-oriented scr

Versions of packages puppet recommends:
ii  libaugeas-ruby1.8             0.3.0-1.1  Augeas bindings for the Ruby langu
ii  rdoc                          4.2        Generate documentation from ruby s

Versions of packages puppet suggests:
pn  puppet-el                     <none>     (no description available)
pn  vim-puppet                    <none>     (no description available)

-- no debconf information

-- 
 .''`.   martin f. krafft <madduck at d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/)
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20100311/90e813d4/attachment.pgp>

More information about the Pkg-puppet-devel mailing list