[Puppet Users] Issue with new install of Puppet and PuppetDB

Keyzer Suze Wed, 13 Nov 2019 14:52:45 -0800

Hi

I have a green field install of puppet - that bits okay - added in puppetdb 
- this where i have issues


Installed - got r10k working got yaml working and some other things - 
packages

then tried puppetdb, but it keeps failing on ssl test

this is what i get from s_client
---
No client certificate CA names sent
---
SSL handshake has read 2505 bytes and written 337 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
B5EA0F1FBF08842917D3CC9340411B1482B2535D958FE72FDE0AE9E36E7C4F34
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1573602368
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes


no ciphers !!!


this is my setup 
   # Configure puppetdb and its underlying database
   class { 'puppetdb':
     manage_package_repo => false,
     manage_dbserver => false,
     #ssl_protocols => 'TLSv1.1,TLSv1.2',
     ssl_protocols => 'TLSv1.2',
     listen_address => '0.0.0.0',
     manage_firewall => true,
     open_listen_port => true,
     open_ssl_listen_port => true,

     # disable_ssl => true,

   }

   # Configure the Puppet master to use puppetdb
   class { 'puppetdb::master::config':
      # puppetdb_disable_ssl => true,
   }


this is the telling it I think

2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for 
InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for 
InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for 
InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for 
InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite 
TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for 
InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite 
TLS_RSA_WITH_AES_256_CBC_SHA enabled for 
InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite 
TLS_RSA_WITH_AES_256_CBC_SHA enabled for 
InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite 
TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for 
InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]


and this is the jetty.ini
 cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini
[jetty]
# IP address or hostname to listen for clear-text HTTP. To avoid resolution
# issues, IP addresses are recommended over hostnames.
# Default is `localhost`.
# host = <host>
host = 0.0.0.0

# Port to listen on for clear-text HTTP.
port = 8080

# The following are SSL specific settings. They can be configured
# automatically with the tool `puppetdb ssl-setup`, which is normally
# ran during package installation.

# IP address to listen on for HTTPS connections. Hostnames can also be used
# but are not recommended to avoid DNS resolution issues. To listen on all
# interfaces, use `0.0.0.0`.
ssl-host = 0.0.0.0

# The port to listen on for HTTPS connections
ssl-port = 8081

# Private key path
ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem

# Public certificate path
ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem

# Certificate authority path
ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem

# Access logging configuration path. To turn off access logging
# comment out the line with `access-log-config=...`
access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml

cipher-suites = 
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
ssl-protocols = TLSv1.2


I'm guessing the ciphers are wrong or there is something wrong with the 
cipher setup ?  Maybe It should be a ersa (the certs used for the eliptical 
ciphers).  or maybe dh params are missing ?  I'm not sure - i would have 
thought puppetdb would work out the box !

also I am using
 java -version
openjdk version "11.0.5" 2019-10-15 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing)

I have also tried jdk8 the one installed with puppetdb same thing
I have tried removing cipher-suites option same issue

very frustrating ...

 
A

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f64ba962-3df3-46eb-9404-869e5f38a862%40googlegroups.com.

[Puppet Users] Issue with new install of Puppet and PuppetDB

Reply via email to