Matthew, you are right, this explain ALMOST everything "Puppet is using the Solaris-provided OpenSSL as part of the Ruby install in this case, which runs version 0.9.7 with patches and doesn’t support sha256. I don’t mind the idea of compiling 1.0.x but the issue still seems to stand that you can’t choose the digest method anymore – there is an apparent use of SHA256 regardless of what option you choose."
But If I use as master RH4 with openssl-lib 0.9.7 I have no problem connecting the others RH4 nodes. This means tha Puppet don't use always SHA256, but only If it is available from openssl library. Right? So, there are two ways (one harder then the other for me) to solve the issue at openssl level: 1. install opensslib rpm for RH5 on RH4 (but there are a lot of missing dependencies) 2. downgrade openssl lib on Centos 6.3 master from 1.0.0 to 0.9.7 ??? Since --digest option won't work, is there any other way to force puppet not to use SHA256?? On 13 February 2013 16:16, Matthew Black <mjbl...@gmail.com> wrote: > I think this issue is related to your issue since the version > discussed is 0.9.7. > > http://projects.puppetlabs.com/issues/17295 > > What you will need to do is more than likely is update the openssl on > the agent. I dont think it will work too well but you can try to take > the srpm from rhel 5 or 6 and build it for rhel 4 > > > On Wed, Feb 13, 2013 at 8:31 AM, Luigi Martin Petrella > <luigimartin.petre...@gmail.com> wrote: > > Master: > > Centos 6.3 , Puppet 3.1.0 > > Ubuntu, Puppet 3.1.0 > > > > Agent: > > Redhat 4, Puppet 3.1.0 > > > > Yesterday something strange happened: > > we tryied to connect RedHat agent with a Puppet Enterprise Master on > Centos > > 6.3, and there wasn't any certificate problems and everything worked. > > Today we are trying with the same configuratione, but It appeared the > same > > validation errore described before > > > > > > > > On 13 February 2013 14:12, Matthew Black <mjbl...@gmail.com> wrote: > >> > >> What is the versions of the puppet are being used on the client and > >> the server? Assuming master is running on Linux, what distro and > >> release is the master running on? > >> > >> I suspect the openssl might be the issue on the client. > >> > >> > >> > >> On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella > >> <luigimartin.petre...@gmail.com> wrote: > >> > Felix, why do you think the problem is related to the "--waitforcert" > >> > option? > >> > I tryied to run "puppet agent -t --waitforcert 100" , and after > signing > >> > the > >> > request on master, on agent I receive this message: > >> > > >> > Error: Could not request certificate: Unsupported digest algorithm > >> > (SHA256). > >> > Error: Failed to apply catalog: Unsupported digest algorithm (SHA256). > >> > Error: Could not send report: SSL_CTX_use_PrivateKey:: key values > >> > mismatch > >> > > >> > > >> > > >> > > >> > On 13 February 2013 13:15, Felix Frank < > felix.fr...@alumni.tu-berlin.de> > >> > wrote: > >> >> > >> >> On 02/11/2013 10:51 PM, Jo Rhett wrote: > >> >> > All cert problems are either time sync or certificate name issues. > So > >> >> > it's one of those two. > >> >> > >> >> A bold assertion. It may hold true as far as puppet is concerned, > >> >> though. > >> >> > >> >> I generally advise to take the time and lern about x509 and openssl's > >> >> interface, so one can inspect the actual certificates in question. > >> >> > >> >> > Exiting; no certificate found and waitforcert is > >> >> > disabled| > >> >> > >> >> Hmm, so did you *ever* use --waitforcert on your agent side? > >> >> > >> >> If you haven't, that's your problem right there. > >> >> > >> >> HTH, > >> >> Felix > >> >> > >> >> -- > >> >> You received this message because you are subscribed to the Google > >> >> Groups > >> >> "Puppet Users" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send > >> >> an > >> >> email to puppet-users+unsubscr...@googlegroups.com. > >> >> To post to this group, send email to puppet-users@googlegroups.com. > >> >> Visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >> >> For more options, visit https://groups.google.com/groups/opt_out. > >> >> > >> >> > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "Puppet Users" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to puppet-users+unsubscr...@googlegroups.com. > >> > To post to this group, send email to puppet-users@googlegroups.com. > >> > Visit this group at http://groups.google.com/group/puppet-users?hl=en > . > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to puppet-users+unsubscr...@googlegroups.com. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. > >> For more options, visit https://groups.google.com/groups/opt_out. > >> > >> > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to puppet-users+unsubscr...@googlegroups.com. > > To post to this group, send email to puppet-users@googlegroups.com. > > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
