[Pkg-puppet-devel] Bug#602542: puppet: certification validation fails on clients
Ansgar Burchardt
ansgar at mathi.uni-heidelberg.de
Fri Nov 5 17:49:21 UTC 2010
Package: puppet
Version: 2.6.2-1
Severity: important
After upgrading puppet from lenny to version 2.6.2-1~bpo50+1 (on a lenny
host) or 2.6.2-1 (on a squeeze host), the puppet client is no longer
happy with the server's certificate. Running "puppet agent -t" after
cleaning /var/lib/puppet/ssl gives the following output:
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for ***.mathi.uni-heidelberg.de
info: Certificate Request fingerprint (md5): 7E:1B:B4:26:30:2A:E3:FA:5D:C6:D8:2E:84:B0:58:D8
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ***.mathi.uni-heidelberg.de
info: Caching certificate_revocation_list for ca
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
Any later try fails also with "certificate verify failed".
I can connect to the puppet master using
openssl s_client -CAfile .../ca.pem -connect puppet.mathi.uni-heidelberg.de:8140
and the certificate is valid.
We use two different CAs with puppet: one for signing the puppetmaster's
server certificate and puppet manages it's own CA for signing client
certificates. There are no certificate chains.
I did fumble a bit with the source and applying the attached patch makes
the clients accept the SSL certificate again (in both lenny-backports
and squeeze), but I have no idea what I might have broken.
Regards,
Ansgar
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages puppet depends on:
ii adduser 3.112 add and remove users and groups
ii facter 1.5.7-1 a library for retrieving facts fro
pn libopenssl-ruby <none> (no description available)
ii libruby [libxmlrpc-ruby] 4.5 Libraries necessary to run Ruby 1.
ii libshadow-ruby1.8 1.4.1-8 Interface of shadow password for R
ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip
ii puppet-common 2.6.2-1 Centralized configuration manageme
ii ruby1.8 1.8.7.302-2 Interpreter of object-oriented scr
Versions of packages puppet recommends:
pn libaugeas-ruby1.8 <none> (no description available)
ii ruby [rdoc] 4.5 An interpreter of object-oriented
Versions of packages puppet suggests:
pn libselinux-ruby1.8 <none> (no description available)
pn puppet-el <none> (no description available)
pn vim-puppet <none> (no description available)
-- Configuration Files:
/etc/default/puppet changed [not included]
-- no debconf information
-------------- next part --------------
--- puppet-2.6.2.orig/lib/puppet/network/http_pool.rb
+++ puppet-2.6.2/lib/puppet/network/http_pool.rb
@@ -53,7 +53,7 @@ module Puppet::Network::HttpPool
# Just no-op if we don't have certs.
return false unless FileTest.exist?(Puppet[:hostcert]) and FileTest.exist?(Puppet[:localcacert])
- http.cert_store = ssl_host.ssl_store
+ #http.cert_store = ssl_host.ssl_store
http.ca_file = Puppet[:localcacert]
http.cert = ssl_host.certificate.content
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
@@ -88,7 +88,7 @@ module Puppet::Network::HttpPool
# Pop open the http client a little; older versions of Net::HTTP(s) didn't
# give us a reader for ca_file... Grr...
- class << http; attr_accessor :ca_file; end
+ #class << http; attr_accessor :ca_file; end
http.use_ssl = true
# Use configured timeout (#1176)
More information about the Pkg-puppet-devel
mailing list