[Puppet Users] "puppet-agent": upgrade from 1.2.2 to 1.2.4 breaks my ssl connections with the Rabbitmq middleware

Wed, 16 Sep 2015 10:59:43 -0700 

Hi,

Today, there was an upgrade of the AIO "puppet-agent" package from
1.2.2 to 1.2.4. Before the upgrade, the ssl connections of nodes
with the Rabbitmq middleware worked fine. But after, the ssl connections
worked no longer and the link between the nodes (mcollective servers)
and the middleware was broken.
Before the upgrade:

----------------------------------------------------
root@client-trusty:~# dpkg -l puppet-agent | grep puppet-agent | awk '{print 
$1" "$2" "$3" "$4}'
ii puppet-agent 1.2.2-1trusty amd64

# The middleware is a rabbitmq server in another host.
root@client-trusty:~# MIDDLEWARE_SRV=172.31.14.7:61614

root@client-trusty:~# 
cert=/etc/puppetlabs/puppet/ssl/certs/client-trusty.athome.priv.pem 
root@client-trusty:~# 
key=/etc/puppetlabs/puppet/ssl/private_keys/client-trusty.athome.priv.pem 
root@client-trusty:~# cacert=/etc/puppetlabs/puppet/ssl/certs/ca.pem

# Try a ssl handshake. All is OK.
root@client-trusty:~# /opt/puppetlabs/puppet/bin/openssl s_client -connect 
$MIDDLEWARE_SRV -cert $cert -key $key -CAfile $cacert && echo ALL IS OK
CONNECTED(00000003)
depth=1 CN = Puppet CA: puppet4.athome.priv
verify return:1
depth=0 CN = middleware.athome.priv
verify return:1
---
Certificate chain
 0 s:/CN=middleware.athome.priv
   i:/CN=Puppet CA: puppet4.athome.priv
 1 s:/CN=Puppet CA: puppet4.athome.priv
   i:/CN=Puppet CA: puppet4.athome.priv
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFgjCCA2qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDDB5QdXBw
ZXQgQ0E6IHB1cHBldDQuYXRob21lLnByaXYwHhcNMTUwOTEyMTYxNzE5WhcNMjAw
OTExMTYxNzE5WjAhMR8wHQYDVQQDDBZtaWRkbGV3YXJlLmF0aG9tZS5wcml2MIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu2En9wplbcqTW6qzZXFEmGIf
/NgvjWHxuNAOA5szcYZ4f3wwAfq25kp6hjDaIRYsgzny6FY7AZ4SDiSTtS8kNMFn
jBJy/81RQKtqP97X+6y84q8EtA/4i4p1g9U7GOZ6LWTFa2h4sd7zl2ahM02szgBX
CIqZjrpm9M1ucTd2ZlqZ80CEKNKxbe+UaTufrGI9+ZxHo+wyxD9TW1Cuvw+Ke9OJ
rir5bCD2RvNbNE/89pRWr1J3jbxnSZNVqwiaRZWg7c7R4qjrauLgftM8d1PzUM32
Mx+17tbF4m6xOldg26c8FGQ5kTW8BXC2mGtffI/0zEYmMhKYnoUIQ7HFyuGc4Krp
V1ikql7R995b2elWHIZYaXvoaWg9048y+ueGSNKPbGBReY8FLO8SZgxbvkGXsear
cKW+eCMnUhGY/J34ComNs6jownXvpq4AKED8KP+dRzs6Z9QDFeXO6qEcyS4AD4zm
2zFsztRtwI9cjbViiSEuTo0vFo1n31RYU4augiyfSQ7gfZaRR0EodkdUxTbDSwPK
ym4+t9G2cloG8WI/+njxom86KfJEp2nHG6F0zbZuFMYyfqUzL2PNKp2ZO7MYrCVM
d1ljyLp/jIP/8Ymu16EFnX7LA8F+a7Vvb3e3dmWjBS+vixKXnRl/cUhZ+T84+o1k
3LuFr7PHOE62Otxgbc8CAwEAAaOBvDCBuTA3BglghkgBhvhCAQ0EKgwoUHVwcGV0
IFJ1YnkvT3BlblNTTCBJbnRlcm5hbCBDZXJ0aWZpY2F0ZTAOBgNVHQ8BAf8EBAMC
BaAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFBxwJMjotqyQKrEXYSMi4wrjI2irMB8GA1UdIwQYMBaAFN2R
YjtfzoMYH0wUkn7uel8YjeHrMA0GCSqGSIb3DQEBCwUAA4ICAQCi6ysJ4Virm3x8
Emq19JnvF/9oOcoT1DmR+qhIF0hNmTPeje5C2o72d4UrxL7nJ1rDyF5dvzQ50Ku5
eza40x/zK2lAv4AB+amCPiXsiPdKLQDGYKyz0SexhQ5Kwl+IpPAqQbBSZHuMUQTA
VIdQglLUgTTaSmo39VvHC9DMiI55TcpBvsqDJ2DhCTJKuCkWwsBBlbl1DyWvCczt
vE8NAlFpXXDHZpvEzP3kDDB66wXwi9MihGu4a+LFiSleCktNkFMwGb3T3pVIKNQg
FzjH1Q15LSPgIvALnfSfphC6A6NwdAiAKJGSxrA9n1Kd9Iz3HZ9huxAnQjrAh68/
vxwokyaSWq0vFmKGAPATKNHm2aEExpSB6Dh6l1E3+YANJRa/lxzl6PB2k4G1OfmY
SybvvL1D1vy1fohem4gB5eErBnV9pjzkiXeBpoCH0YLtRti4Ru/YJATDDbsoXEd3
xN/o0ZCRe6djxy9Kr3y3X+fUbAgOcBrF9UHWuz4JMUAizJWEPQv3y8MTR4KifSXK
wvVQsZvqeHwpp4GDyNB/tUFJYeF4G2xRSu72ES26g08s0YR3DMLMzzf3MHngJTQn
XV9BNYAitOheIq80yHbq0ErLK1aHzW5ovg/gp3qdG/I48DTSN3UYf+zCbNsneoxo
2QR6gvFfAtJqxySNtcvtfEFhLhN4TQ==
-----END CERTIFICATE-----
subject=/CN=middleware.athome.priv
issuer=/CN=Puppet CA: puppet4.athome.priv
---
Acceptable client certificate CA names
/CN=Puppet CA: puppet4.athome.priv
---
SSL handshake has read 3656 bytes and written 3699 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 85F7EADC8638B92FB19C5E2FB6005EA50B95FB63AC4D0B514A15FA70D9F70D63
    Session-ID-ctx: 
    Master-Key: 
561B8C015947AEEB117EAD92E57C2A99429F5A7D434C6094CC89987C774C3F2F565C467CC322547DBEBC0359B411A8C3
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1442425360
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Q
DONE
ALL IS OK
----------------------------------------------------

Now, I upgrade the "puppet-agent" package :

----------------------------------------------------
root@client-trusty:~# apt-get install puppet-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  puppet-agent
1 upgraded, 0 newly installed, 0 to remove and 7 not upgraded.
Need to get 9,901 kB of archives.
After this operation, 1,188 kB of additional disk space will be used.
Get:1 http://apt.puppetlabs.com/ trusty/PC1 puppet-agent amd64 1.2.4-1trusty 
[9,901 kB]
Fetched 9,901 kB in 0s (19.4 MB/s) 
(Reading database ... 89683 files and directories currently installed.)
Preparing to unpack .../puppet-agent_1.2.4-1trusty_amd64.deb ...
Unpacking puppet-agent (1.2.4-1trusty) over (1.2.2-1trusty) ...
Processing triggers for ureadahead (0.100.0-16) ...
ureadahead will be reprofiled on next reboot
Setting up puppet-agent (1.2.4-1trusty) ...
Restarting daemon:  mcollective
Stopping daemon:  mcollective
Starting daemon:  mcollective
mcollective restarted
root@client-trusty:~# 

# And I retry an ssl hanshake
root@client-trusty:~# /opt/puppetlabs/puppet/bin/openssl s_client -connect 
$MIDDLEWARE_SRV -cert $cert -key $key -CAfile $cacert && echo ALL IS OK
CONNECTED(00000003)
140467911059104:error:140790E5:SSL routines:ssl23_write:ssl handshake 
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 285 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
root@client-trusty:~# echo $?
1
root@client-trusty:~# 
----------------------------------------------------

No ssl handshake possible and my mcollective service is down.
Except the solution to stay on 1.2.2 version, do you have an
idea to solve my problem ?

My rabbitmq server is on a Ubuntu Tusty version 3.2.4-1 (from
the ubuntu repositories). I have tried rabbitmq from the
rabbitmq repository (version 3.5.4) but there is no improvement.

Maybe it's useful, so here is my rabbitmq configuration:

----------------------------------------------------
[ {rabbitmq_stomp,
      [ { tcp_listeners, [] },
        { ssl_listeners, [{"0.0.0.0", 61614} ] }
      ]
  },

  {
    rabbit,
      [ { tcp_listeners, [] },
        { ssl_listeners, [] },
        { ssl_options,
            [
              {          cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
              {            certfile, "/etc/rabbitmq/ssl/cert.pem"},
              {             keyfile, "/etc/rabbitmq/ssl/key.pem"},
              {              verify, verify_peer},
              {fail_if_no_peer_cert, true}
            ]
        }
      ]
   },

   { rabbitmq_management,
      [ { listener, [ { ip, "127.0.0.1"}, {port, 15672} ] },
        { redirect_old_port, false }
      ]
   }
].
----------------------------------------------------

Thanks in advance for your help.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/55F9ADDE.7010500%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to