So this seems to be a regression in openssl-1.0.1e-15.el6.x86_64. The reason why this works for JDK 7, is because we've had issues with the ECC based ciphers in the past, and had to pin JDK 7 to non-ECC ciphers.
However we had the anticipation that this might be something that would come back, so we provided a configuration option to override this. Alas, the solution without downgrading openssl or upgrading to JDK 7 is to add the following line to your jetty.ini: cipher-suites = TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5 ... and then restart your puppetdb instance. We're looking into a permanent solution now. Of course, upgrade to JDK 7 is a good idea regardless, so I would recommend that first. In the very near future we are looking to deprecate JDK 6 anyway, so better to move now rather then later. ken. On Thu, Nov 28, 2013 at 4:04 PM, Ken Barber <k...@puppetlabs.com> wrote: > Okay, so this problem seems prolific now. Would you mind raising a > redmine ticket on this? > > http://projects.puppetlabs.com/projects/puppetdb > > > On Thu, Nov 28, 2013 at 3:59 PM, Matthias Saou <matth...@saou.eu> wrote: >> On Wed, 27 Nov 2013 09:48:52 -0700 >> Deepak Giridharagopal <dee...@puppetlabs.com> wrote: >> >>> On Nov 27, 2013, at 9:11 AM, Jonathan Gazeley >>> <jonathan.gaze...@bristol.ac.uk> wrote: >>> >>> > Hmm, well I removed java-1.6.0-openjdk and installed >>> > java-1.7.0-openjdk. Reinstalled puppetdb, which pulled >>> > java-1.6.0-openjdk back in again, so the two javas were installed >>> > simultaneously. Restarted puppetdb and puppetmaster and everything >>> > works again.... I have no idea what was wrong. >>> >>> Hmm, pulling in an older version jdk despite the presence of a newer >>> one smells like a bug to me...can you file one against PuppetDB? >>> >>> We're touching that code right now, as we're actually in the process >>> of deprecating use of JDK 1.6 with PuppetDB. So the upgrade situation >>> you describe is something we should try and test. >> >> FWIW, I just did a "yum update" on a RHEL 6 puppet master, which got >> all updates from RHEL 6.5, and I started seeing failed puppet runs with >> the exact same symptoms. >> >> This is initially with puppet 3.3.2 and puppetdb 1.4.0. >> >> Restarting the services didn't help. Rebooting the server to make sure >> all new system libs were used didn't help either. >> Updating to puppetdb 1.5.2 and running /usr/sbin/puppetdb-ssl-setup -f >> didn't help (still the exact same message). >> >> But this fixed it : >> >> yum install java-1.7.0-openjdk.x86_64 >> service puppetdb restart >> >> Previously, I had only java-1.6.0-openjdk installed, and it had been >> updated. I'm guessing the update broke something related to SSL. After >> installing 1.7.0, alternatives automatically updated all java related >> paths to make 1.7.0 the default, and puppetdb seems to work fine with >> it. >> >> So if you're running PuppetDB on RHEL (or any clone), then make sure >> you have the right version of Java available for it. >> >> Matthias >> >> -- >> Matthias Saou ██ ██ >> ██ ██ >> Web: http://matthias.saou.eu/ ██████████████ >> Mail/XMPP: matth...@saou.eu ████ ██████ ████ >> ██████████████████████ >> GPG: 4096R/E755CC63 ██ ██████████████ ██ >> 8D91 7E2E F048 9C9C 46AF ██ ██ ██ ██ >> 21A9 7A51 7B82 E755 CC63 ████ ████ >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/20131128165900.4b11f270%40r2d2.marmotte.net. >> For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTn73JxZduB662QrFCVSdugGCfhkb2kcm-Gu_Tp4y5yKSA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
