For what its worth the bug in openssl-1.0.1e-15 has been fixed in upstream by openssl-1.0.1e-16: http://rhn.redhat.com/errata/RHBA-2013-1751.html
On Mon, Dec 2, 2013 at 12:33 PM, Ken Barber <[email protected]> wrote: > So this seems to be a regression in openssl-1.0.1e-15.el6.x86_64. The > reason why this works for JDK 7, is because we've had issues with the > ECC based ciphers in the past, and had to pin JDK 7 to non-ECC > ciphers. > > However we had the anticipation that this might be something that > would come back, so we provided a configuration option to override > this. Alas, the solution without downgrading openssl or upgrading to > JDK 7 is to add the following line to your jetty.ini: > > cipher-suites = > TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5 > > ... and then restart your puppetdb instance. > > We're looking into a permanent solution now. Of course, upgrade to JDK > 7 is a good idea regardless, so I would recommend that first. In the > very near future we are looking to deprecate JDK 6 anyway, so better > to move now rather then later. > > ken. > > On Thu, Nov 28, 2013 at 4:04 PM, Ken Barber <[email protected]> wrote: >> Okay, so this problem seems prolific now. Would you mind raising a >> redmine ticket on this? >> >> http://projects.puppetlabs.com/projects/puppetdb >> >> >> On Thu, Nov 28, 2013 at 3:59 PM, Matthias Saou <[email protected]> wrote: >>> On Wed, 27 Nov 2013 09:48:52 -0700 >>> Deepak Giridharagopal <[email protected]> wrote: >>> >>>> On Nov 27, 2013, at 9:11 AM, Jonathan Gazeley >>>> <[email protected]> wrote: >>>> >>>> > Hmm, well I removed java-1.6.0-openjdk and installed >>>> > java-1.7.0-openjdk. Reinstalled puppetdb, which pulled >>>> > java-1.6.0-openjdk back in again, so the two javas were installed >>>> > simultaneously. Restarted puppetdb and puppetmaster and everything >>>> > works again.... I have no idea what was wrong. >>>> >>>> Hmm, pulling in an older version jdk despite the presence of a newer >>>> one smells like a bug to me...can you file one against PuppetDB? >>>> >>>> We're touching that code right now, as we're actually in the process >>>> of deprecating use of JDK 1.6 with PuppetDB. So the upgrade situation >>>> you describe is something we should try and test. >>> >>> FWIW, I just did a "yum update" on a RHEL 6 puppet master, which got >>> all updates from RHEL 6.5, and I started seeing failed puppet runs with >>> the exact same symptoms. >>> >>> This is initially with puppet 3.3.2 and puppetdb 1.4.0. >>> >>> Restarting the services didn't help. Rebooting the server to make sure >>> all new system libs were used didn't help either. >>> Updating to puppetdb 1.5.2 and running /usr/sbin/puppetdb-ssl-setup -f >>> didn't help (still the exact same message). >>> >>> But this fixed it : >>> >>> yum install java-1.7.0-openjdk.x86_64 >>> service puppetdb restart >>> >>> Previously, I had only java-1.6.0-openjdk installed, and it had been >>> updated. I'm guessing the update broke something related to SSL. After >>> installing 1.7.0, alternatives automatically updated all java related >>> paths to make 1.7.0 the default, and puppetdb seems to work fine with >>> it. >>> >>> So if you're running PuppetDB on RHEL (or any clone), then make sure >>> you have the right version of Java available for it. >>> >>> Matthias >>> >>> -- >>> Matthias Saou ██ ██ >>> ██ ██ >>> Web: http://matthias.saou.eu/ ██████████████ >>> Mail/XMPP: [email protected] ████ ██████ ████ >>> ██████████████████████ >>> GPG: 4096R/E755CC63 ██ ██████████████ ██ >>> 8D91 7E2E F048 9C9C 46AF ██ ██ ██ ██ >>> 21A9 7A51 7B82 E755 CC63 ████ ████ >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/20131128165900.4b11f270%40r2d2.marmotte.net. >>> For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNT%3DADm2_Ndko_DJUv4y3ZvypNSEYLsZYBgDMPfUJwQsJ5g%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
