I suspect something is wrong with the underlying ssl libraries on the
client with the problem. Does the output of 'rpm -qa | grep ssl' on the
non-working client look the same as the client which works? How about
ldd -r `rpm -ql ruby-libs | grep openssl.so`
?
On Sunday, April 22, 2012 2:19:27 AM UTC-7, Thomas Bétrancourt wrote:
>
> Hi!
>
> I've installed puppetmaster 2.7.13 on a server with CentOS 6.2 with a rpm
> supplied by yum.puppetlabs.com.
>
> I've setup a apache2 vhost with mod_ssl and passenger. The server is
> configured to autosign the cert requests.
>
> The agent installed on the puppetmaster's server works fine. I've a second
> agent on a server which can sync with the server too. This server is on
> CentOS 6.2 too. This is a KVM hypervisor helped by the libvirt. All virtual
> machines are configured to join a network bridge. Some iptables rules
> forward the traffic from the VM to the world (and vice-et-versa). The world
> can connect to the VM (i.e. SSH) and the VM can go to the world.
>
> On the hypervisor, i've a VM on CentOS 6.2 too. The DNS name 'puppet' is
> resolved by the hypervisor (which has a dnsmasq server). When i'm launching
> the puppet agent for the first time, a cert is generated by the server. The
> client has now the certs and key on its filesystem. But when the client is
> trying to sync with the server, i've got the following output :
> [root@machine-1 ~]# puppet agent --test
> info: Creating a new SSL key for machine-1.test.betrancourt.net
> warning: peer certificate won't be verified in this SSL session
> info: Caching certificate for ca
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
> info: Creating a new SSL certificate request for
> machine-1.test.betrancourt.net
> info: Certificate Request fingerprint (md5):
> BA:1B:67:81:34:11:1B:98:3D:38:FB:1F:21:F4:B4:5E
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
> info: Caching certificate for machine-1.test.betrancourt.net
> err: Could not retrieve catalog from remote server: SSL_connect returned=1
> errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol
> version
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
> err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
> read server session ticket A: tlsv1 alert protocol version
> [root@machine-1 ~]#
>
> The client cert is into the server cert db :
> [root@medion ~]# puppetca list --all | grep machine-1
> + machine-1.test.betrancourt.net
> (1C:78:20:02:EB:BB:B8:7B:62:E6:80:ED:A4:06:9D:92)
>
> In puppet.conf, on the server, i've the following content:
> [main]
> logdir = /var/log/puppet
> rundir = /var/run/puppet
> ssldir = $vardir/ssl
>
> [agent]
> classfile = $vardir/classes.txt
> localconfig = $vardir/localconfig
> pluginsync = true
>
> [master]
> autosign = true
> ssl_client_header = SSL_CLIENT_S_DN
> ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> My apache vhost is configured like this:
> <VirtualHost 192.168.1.60:8140>
> SSLEngine on
> SSLProtocol -all +SSLv3 +TLSv1
> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>
> SSLCertificateFile
> /var/lib/puppet/ssl/certs/medion.chatillon.betrancourt.net.pem
> SSLCertificateKeyFile
> /var/lib/puppet/ssl/private_keys/medion.chatillon.betrancourt.net.pem
> SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
> SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
> # CRL checking should be enabled; if you have problems with Apache
> complaining about the CRL, disable the next line
> SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
> SSLVerifyClient optional
> SSLVerifyDepth 1
> SSLOptions +StdEnvVars
>
> # The following client headers allow the same configuration to work
> with Pound.
> RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> PassengerHighPerformance on
> PassengerStatThrottleRate 120
> PassengerUseGlobalQueue on
> RackAutoDetect Off
> RailsAutoDetect Off
> RackBaseURI /
>
> DocumentRoot /etc/puppet/puppetmaster/public
>
> <Directory /etc/puppet/puppetmaster>
> Options None
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
>
>
> ErrorLog /var/log/httpd/puppetmaster_error.log
> CustomLog /var/log/httpd/puppetmaster_access.log combined
> </VirtualHost>
>
> On the clients, the puppet.conf has the following content:
> [main]
> logdir = /var/log/puppet
> rundir = /var/run/puppet
> ssldir = $vardir/ssl
>
> [agent]
> classfile = $vardir/classes.txt
> localconfig = $vardir/localconfig
> pluginsync = true
>
> I don't know how solve this problem. I've read the puppet guides about ssl
> / apache / passenger. I don't understand how some clients can use the
> server, and not only one of these...
>
> Thanks in advance for your support.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/3sjRRdIMp0cJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
