Unfortunately, I am installing my puppet agent and master with RPMs. When I uninstall and reinstall the puppet agent, it blows away the certificate_signer.rb file and recreates it with the original file.
I have a number of systems (not all of which I have control over) that I'll need to do this to or have done to them, so the method suggested is not appropriate. Any other suggestions? Thanks, Jason On Thursday, February 14, 2013 10:32:00 AM UTC-5, Luigi Martin Petrella wrote: > > Your configuration is almost the same as mine. > I'm not 100% sure but I think that after modifying certificate_signer.rb > you should re-install puppet, running "ruby install.rb" again. > > (in my case, I first downloaded source code, then modified the class and > finally ran the install.rb) > > > On 14 February 2013 16:17, binaryred <bina...@gmail.com <javascript:>>wrote: > >> Puppet master is running RHEL 6.3 with the following packages: >> >> puppet-3.1.0-1.el6.noarch >> puppet-server-3.1.0-1.el6.noarch >> openssl-1.0.0-20.el6_2.5.x86_64 >> >> Client is running RHEL 4.8 with the following packages: >> >> puppet-2.7.20-1 >> openssl-0.9.7a-43.17.el4_7.2 >> >> After changing the certificate_signer.rb file as you suggested, I >> rebooted my puppet master and cleared the cert for the client, and then >> removed /var/lib/puppet/ssl on the client as well. I then run 'puppet >> agent -t' on the client and this is what I get: >> >> err: Could not retrieve catalog from remote server: certificate verify >> failed: [certificate signature failure for /CN=puppetmaster.example.com >> >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> err: Could not send report: certificate verify failed: [certificate >> signature failure for /CN=puppetmaster.example.com] >> >> Maybe this isn't an ssl issue, but I'm not sure what else would be wrong. >> >> Jason >> >> >> >> On Thursday, February 14, 2013 9:29:28 AM UTC-5, Luigi Martin Petrella >> wrote: >> >>> Jason, >>> I did the change on master, Centos 6.3 with Puppet 3.1.0. >>> This modification can't be applied on Puppet 2.7.x since the class >>> certificate_signer.rb >>> doesn't exist in Puppet 2.7 source code. >>> >>> What's your configuration on master and agent nodes? >>> What's the output of "rpm -qa | grep openssl" ? >>> >>> >>> >>> On 14 February 2013 15:19, binaryred <bina...@gmail.com> wrote: >>> >>>> Luigi, >>>> >>>> I find I'm in a similar situation as you, except I am not running >>>> puppet 3 on my client, I am running puppet 2.7. This change that you >>>> made, >>>> was it on the client or your puppet master? >>>> >>>> Thanks, >>>> Jason >>>> >>>> >>>> On Thursday, February 14, 2013 5:31:13 AM UTC-5, Luigi Martin Petrella >>>> wrote: >>>> >>>>> The trick worked :-) >>>>> >>>>> Thanks to everyone for your contribution! >>>>> >>>>> >>>>> On 13 February 2013 18:26, Luigi Martin Petrella <luigimarti...@gmail. >>>>> **com> wrote: >>>>> >>>>>> Yes, it is exactly the cause of the problem! >>>>>> " >>>>>> >>>>>> certificate_signer.rb >>>>>> >>>>>> # Take care of signing a certificate in a FIPS 140-2 compliant manner. >>>>>> >>>>>> # >>>>>> >>>>>> # @see >>>>>> http://projects.puppetlabs.**com**/issues/17295<http://projects.puppetlabs.com/issues/17295> >>>>>> >>>>>> # >>>>>> >>>>>> # @api private >>>>>> >>>>>> class Puppet::SSL::CertificateSigner >>>>>> >>>>>> def initialize >>>>>> >>>>>> if OpenSSL::Digest.const_defined?****('SHA256') >>>>>> >>>>>> @digest = OpenSSL::Digest::SHA256 >>>>>> >>>>>> elsif OpenSSL::Digest.const_defined?****('SHA1') >>>>>> >>>>>> @digest = OpenSSL::Digest::SHA1 >>>>>> >>>>>> else >>>>>> >>>>>> raise Puppet::Error, >>>>>> >>>>>> "No FIPS 140-2 compliant digest algorithm in OpenSSL::Digest" >>>>>> >>>>>> end >>>>>> >>>>>> @digest >>>>>> >>>>>> end >>>>>> >>>>>> >>>>>> >>>>>> def sign(content, key) >>>>>> >>>>>> content.sign(key, @digest.new) >>>>>> >>>>>> end >>>>>> >>>>>> end >>>>>> " >>>>>> >>>>>> If I switch the order of these checks >>>>>> >>>>>> if OpenSSL::Digest.const_defined?****('SHA256') >>>>>> >>>>>> @digest = OpenSSL::Digest::SHA256 >>>>>> >>>>>> elsif OpenSSL::Digest.const_defined?****('SHA1') >>>>>> >>>>>> @digest = OpenSSL::Digest::SHA1 >>>>>> >>>>>> >>>>>> probably it will work >>>>>> >>>>>> >>>>>> I'll let you know.. >>>>>> >>>>>> >>>>>> >>>>>> On 13 February 2013 17:08, Matthew Black <mjb...@gmail.com> wrote: >>>>>> >>>>>>> Yes because as part of the fix it checks on the CA, when its signing >>>>>>> the cert, whether it can support 256 or not. If it does not it drops >>>>>>> down to a lower SHA. >>>>>>> >>>>>>> If you look at the pull request that is part of the ticket, >>>>>>> specifically the changes. If you scroll down to the >>>>>>> certificate_signer.rb change it will make more sense. >>>>>>> >>>>>>> https://github.com/puppetlabs/****puppet/pull/1413/files<https://github.com/puppetlabs/puppet/pull/1413/files> >>>>>>> >>>>>>> >>>>>>> On Wed, Feb 13, 2013 at 10:37 AM, Luigi Martin Petrella >>>>>>> <luigimarti...@gmail.**com> wrote: >>>>>>> > Matthew, you are right, this explain ALMOST everything >>>>>>> > >>>>>>> > "Puppet is using the Solaris-provided OpenSSL as part of the Ruby >>>>>>> install in >>>>>>> > this case, which runs version 0.9.7 with patches and doesn’t >>>>>>> support sha256. >>>>>>> > I don’t mind the idea of compiling 1.0.x but the issue still seems >>>>>>> to stand >>>>>>> > that you can’t choose the digest method anymore – there is an >>>>>>> apparent use >>>>>>> > of SHA256 regardless of what option you choose." >>>>>>> > >>>>>>> > But >>>>>>> > >>>>>>> > If I use as master RH4 with openssl-lib 0.9.7 I have no problem >>>>>>> connecting >>>>>>> > the others RH4 nodes. This means tha Puppet don't use always >>>>>>> SHA256, but >>>>>>> > only If it is available from openssl library. Right? >>>>>>> > >>>>>>> > So, there are two ways (one harder then the other for me) to solve >>>>>>> the issue >>>>>>> > at openssl level: >>>>>>> > 1. install opensslib rpm for RH5 on RH4 (but there are a lot of >>>>>>> missing >>>>>>> > dependencies) >>>>>>> > 2. downgrade openssl lib on Centos 6.3 master from 1.0.0 to 0.9.7 >>>>>>> > ??? >>>>>>> > >>>>>>> > Since --digest option won't work, is there any other way to force >>>>>>> puppet not >>>>>>> > to use SHA256?? >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > On 13 February 2013 16:16, Matthew Black <mjb...@gmail.com> wrote: >>>>>>> >> >>>>>>> >> I think this issue is related to your issue since the version >>>>>>> >> discussed is 0.9.7. >>>>>>> >> >>>>>>> >> http://projects.puppetlabs.**com**/issues/17295<http://projects.puppetlabs.com/issues/17295> >>>>>>> >> >>>>>>> >> What you will need to do is more than likely is update the >>>>>>> openssl on >>>>>>> >> the agent. I dont think it will work too well but you can try to >>>>>>> take >>>>>>> >> the srpm from rhel 5 or 6 and build it for rhel 4 >>>>>>> >> >>>>>>> >> >>>>>>> >> On Wed, Feb 13, 2013 at 8:31 AM, Luigi Martin Petrella >>>>>>> >> <luigimarti...@gmail.**com> wrote: >>>>>>> >> > Master: >>>>>>> >> > Centos 6.3 , Puppet 3.1.0 >>>>>>> >> > Ubuntu, Puppet 3.1.0 >>>>>>> >> > >>>>>>> >> > Agent: >>>>>>> >> > Redhat 4, Puppet 3.1.0 >>>>>>> >> > >>>>>>> >> > Yesterday something strange happened: >>>>>>> >> > we tryied to connect RedHat agent with a Puppet Enterprise >>>>>>> Master on >>>>>>> >> > Centos >>>>>>> >> > 6.3, and there wasn't any certificate problems and everything >>>>>>> worked. >>>>>>> >> > Today we are trying with the same configuratione, but It >>>>>>> appeared the >>>>>>> >> > same >>>>>>> >> > validation errore described before >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > On 13 February 2013 14:12, Matthew Black <mjb...@gmail.com> >>>>>>> wrote: >>>>>>> >> >> >>>>>>> >> >> What is the versions of the puppet are being used on the >>>>>>> client and >>>>>>> >> >> the server? Assuming master is running on Linux, what distro >>>>>>> and >>>>>>> >> >> release is the master running on? >>>>>>> >> >> >>>>>>> >> >> I suspect the openssl might be the issue on the client. >>>>>>> >> >> >>>>>>> >> >> >>>>>>> >> >> >>>>>>> >> >> On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella >>>>>>> >> >> <luigimarti...@gmail.**com> wrote: >>>>>>> >> >> > Felix, why do you think the problem is related to the >>>>>>> "--waitforcert" >>>>>>> >> >> > option? >>>>>>> >> >> > I tryied to run "puppet agent -t --waitforcert 100" , and >>>>>>> after >>>>>>> >> >> > signing >>>>>>> >> >> > the >>>>>>> >> >> > request on master, on agent I receive this message: >>>>>>> >> >> > >>>>>>> >> >> > Error: Could not request certificate: Unsupported digest >>>>>>> algorithm >>>>>>> >> >> > (SHA256). >>>>>>> >> >> > Error: Failed to apply catalog: Unsupported digest algorithm >>>>>>> >> >> > (SHA256). >>>>>>> >> >> > Error: Could not send report: SSL_CTX_use_PrivateKey:: key >>>>>>> values >>>>>>> >> >> > mismatch >>>>>>> >> >> > >>>>>>> >> >> > >>>>>>> >> >> > >>>>>>> >> >> > >>>>>>> >> >> > On 13 February 2013 13:15, Felix Frank >>>>>>> >> >> > <felix...@alumni.tu-berlin.**de> >>>>>>> >>>>>>> >> >> > wrote: >>>>>>> >> >> >> >>>>>>> >> >> >> On 02/11/2013 10:51 PM, Jo Rhett wrote: >>>>>>> >> >> >> > All cert problems are either time sync or certificate >>>>>>> name issues. >>>>>>> >> >> >> > So >>>>>>> >> >> >> > it's one of those two. >>>>>>> >> >> >> >>>>>>> >> >> >> A bold assertion. It may hold true as far as puppet is >>>>>>> concerned, >>>>>>> >> >> >> though. >>>>>>> >> >> >> >>>>>>> >> >> >> I generally advise to take the time and lern about x509 and >>>>>>> >> >> >> openssl's >>>>>>> >> >> >> interface, so one can inspect the actual certificates in >>>>>>> question. >>>>>>> >> >> >> >>>>>>> >> >> >> > Exiting; no certificate found and waitforcert is >>>>>>> >> >> >> > disabled| >>>>>>> >> >> >> >>>>>>> >> >> >> Hmm, so did you *ever* use --waitforcert on your agent side? >>>>>>> >> >> >> >>>>>>> >> >> >> If you haven't, that's your problem right there. >>>>>>> >> >> >> >>>>>>> >> >> >> HTH, >>>>>>> >> >> >> Felix >>>>>>> >> >> >> >>>>>>> >> >> >> -- >>>>>>> >> >> >> You received this message because you are subscribed to the >>>>>>> Google >>>>>>> >> >> >> Groups >>>>>>> >> >> >> "Puppet Users" group. >>>>>>> >> >> >> To unsubscribe from this group and stop receiving emails >>>>>>> from it, >>>>>>> >> >> >> send >>>>>>> >> >> >> an >>>>>>> >> >> >> email to puppet-users...@**googlegroups.**com. >>>>>>> >> >> >> To post to this group, send email to >>>>>>> puppet...@googlegroups.com. >>>>>>> >>>>>>> >> >> >> Visit this group at >>>>>>> >> >> >> http://groups.google.com/**group**/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> >>>>>>> . >>>>>>> >> >> >> For more options, visit https://groups.google.com/**grou** >>>>>>> ps/opt_out <https://groups.google.com/groups/opt_out>. >>>>>>> >> >> >> >>>>>>> >> >> >> >>>>>>> >> >> > >>>>>>> >> >> > -- >>>>>>> >> >> > You received this message because you are subscribed to the >>>>>>> Google >>>>>>> >> >> > Groups >>>>>>> >> >> > "Puppet Users" group. >>>>>>> >> >> > To unsubscribe from this group and stop receiving emails >>>>>>> from it, >>>>>>> >> >> > send >>>>>>> >> >> > an >>>>>>> >> >> > email to puppet-users...@**googlegroups.**com. >>>>>>> >> >> > To post to this group, send email to >>>>>>> puppet...@googlegroups.com. >>>>>>> >>>>>>> >> >> > Visit this group at >>>>>>> >> >> > http://groups.google.com/**group**/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> >>>>>>> . >>>>>>> >> >> > For more options, visit https://groups.google.com/**grou** >>>>>>> ps/opt_out <https://groups.google.com/groups/opt_out>. >>>>>>> >> >> > >>>>>>> >> >> > >>>>>>> >> >> >>>>>>> >> >> -- >>>>>>> >> >> You received this message because you are subscribed to the >>>>>>> Google >>>>>>> >> >> Groups >>>>>>> >> >> "Puppet Users" group. >>>>>>> >> >> To unsubscribe from this group and stop receiving emails from >>>>>>> it, send >>>>>>> >> >> an >>>>>>> >> >> email to puppet-users...@**googlegroups.**com. >>>>>>> >> >> To post to this group, send email to >>>>>>> puppet...@googlegroups.com. >>>>>>> >>>>>>> >> >> Visit this group at http://groups.google.com/**group** >>>>>>> /puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> >>>>>>> . >>>>>>> >> >> For more options, visit https://groups.google.com/**grou** >>>>>>> ps/opt_out <https://groups.google.com/groups/opt_out>. >>>>>>> >> >> >>>>>>> >> >> >>>>>>> >> > >>>>>>> >> > -- >>>>>>> >> > You received this message because you are subscribed to the >>>>>>> Google >>>>>>> >> > Groups >>>>>>> >> > "Puppet Users" group. >>>>>>> >> > To unsubscribe from this group and stop receiving emails from >>>>>>> it, send >>>>>>> >> > an >>>>>>> >> > email to puppet-users...@**googlegroups.**com. >>>>>>> >> > To post to this group, send email to puppet...@googlegroups.com >>>>>>> . >>>>>>> >>>>>>> >> > Visit this group at http://groups.google.com/**group** >>>>>>> /puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> >>>>>>> . >>>>>>> >> > For more options, visit https://groups.google.com/**grou** >>>>>>> ps/opt_out <https://groups.google.com/groups/opt_out>. >>>>>>> >> > >>>>>>> >> > >>>>>>> >> >>>>>>> >> -- >>>>>>> >> You received this message because you are subscribed to the >>>>>>> Google Groups >>>>>>> >> "Puppet Users" group. >>>>>>> >> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an >>>>>>> >> email to puppet-users...@**googlegroups.**com. >>>>>>> >> To post to this group, send email to puppet...@googlegroups.com. >>>>>>> >>>>>>> >> Visit this group at http://groups.google.com/**group** >>>>>>> /puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> >>>>>>> . >>>>>>> >> For more options, visit https://groups.google.com/**grou** >>>>>>> ps/opt_out <https://groups.google.com/groups/opt_out>. >>>>>>> >> >>>>>>> >> >>>>>>> > >>>>>>> > -- >>>>>>> > You received this message because you are subscribed to the Google >>>>>>> Groups >>>>>>> > "Puppet Users" group. >>>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an >>>>>>> > email to puppet-users...@**googlegroups.**com. >>>>>>> > To post to this group, send email to puppet...@googlegroups.com. >>>>>>> >>>>>>> > Visit this group at http://groups.google.com/**group** >>>>>>> /puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> >>>>>>> . >>>>>>> > For more options, visit https://groups.google.com/**grou** >>>>>>> ps/opt_out <https://groups.google.com/groups/opt_out>. >>>>>>> > >>>>>>> > >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Puppet Users" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to puppet-users...@**googlegroups.**com. >>>>>>> To post to this group, send email to puppet...@googlegroups.com. >>>>>>> >>>>>>> Visit this group at http://groups.google.com/**group** >>>>>>> /puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> >>>>>>> . >>>>>>> For more options, visit >>>>>>> https://groups.google.com/**grou**ps/opt_out<https://groups.google.com/groups/opt_out> >>>>>>> . >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Puppet Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to puppet-users...@**googlegroups.com. >>>> To post to this group, send email to puppet...@googlegroups.com. >>>> Visit this group at >>>> http://groups.google.com/**group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> >>>> . >>>> For more options, visit >>>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>>> . >>>> >>>> >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users...@googlegroups.com <javascript:>. >> To post to this group, send email to puppet...@googlegroups.com<javascript:> >> . >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
