This is my puppetdb/jetty configuration: agrams@puppet:~$ sudo cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini [sudo] password for agrams: [jetty] host = localhost ssl-host = 0.0.0.0 ssl-port = 8081 ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml cipher-suites = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" ssl-protocols = TLSv1.2 port = 8080
I used these instructions to install and configure Puppet DB: https://puppet.com/docs/puppetdb/latest/install_via_module.html I am also using openjdk 11, not java 8, without issue. agrams@puppet:~$ ps -ef |grep java agrams 19172 18819 0 18:44 pts/0 00:00:00 grep --color=auto java puppet 30754 1 0 Oct26 ? 07:31:10 /usr/bin/java -Xms2G -Xmx2G -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger -XX:OnOutOfMemoryError=kill -9 %p -cp /opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar:/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/facter.jar:/opt/puppetlabs/server/data/puppetserver/jars/* clojure.main -m puppetlabs.trapperkeeper.main --config /etc/puppetlabs/puppetserver/conf.d --bootstrap-config /etc/puppetlabs/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/ --restart-file /opt/puppetlabs/server/data/puppetserver/restartcounter puppetdb 31910 1 0 Oct18 ? 01:41:06 /usr/bin/java -Xmx192m -XX:OnOutOfMemoryError=kill -9 %p -cp /opt/puppetlabs/server/apps/puppetdb/puppetdb.jar clojure.main -m puppetlabs.puppetdb.cli.services --config /etc/puppetlabs/puppetdb/conf.d --bootstrap-config /etc/puppetlabs/puppetdb/bootstrap.cfg --restart-file /opt/puppetlabs/server/data/puppetdb/restartcounter agrams@puppet:~$ /usr/bin/java -version openjdk version "11.0.4" 2019-07-16 OpenJDK Runtime Environment (build 11.0.4+11-post-Ubuntu-1ubuntu218.04.3) OpenJDK 64-Bit Server VM (build 11.0.4+11-post-Ubuntu-1ubuntu218.04.3, mixed mode, sharing) I'm running Puppet 6.7: agrams@puppet:~$ dpkg -l |grep puppet |grep -v foreman ii puppet-agent 6.10.1-1bionic amd64 The Puppet Agent package contains all of the elements needed to run puppet, including ruby, facter, and hiera. ii puppet-agent-oauth 0.5.1-2 all OAuth Core Ruby implementation for Puppet Agent ii puppet-bolt 1.37.0-1bionic amd64 Stand alone task runner ii puppet6-release 6.0.0-5bionic all Release packages for the Puppet 6 repository ii puppetdb 6.7.1-1bionic all Puppet Labs puppetdb ii puppetdb-termini 6.7.1-1bionic all Termini for puppetdb ii puppetserver 6.7.1-1bionic all Puppet Labs puppetserver ii ruby-kafo 3.0.0-1 all Ruby gem for making installations based on puppet user friendly ii ruby-puppet-forge 2.2.9-2 all Access the Puppet Forge API from Ruby ii ruby-semantic-puppet 1.0.2-1 all Useful tools for working with semantic versions with Puppet Is the s_client output you shared the full output? What parameters did you pass to s_client? Puppet DB uses the Puppet Agent certificate for authentication. This is how you can authenticate using the cert/key, and trust the Puppet CA. This is what I would expect to see. root@puppet:~# openssl s_client -connect puppet.x.org:8081 -cert /etc/puppetlabs/puppet/ssl/certs/puppet.x.org.pem -key /etc/puppetlabs/puppet/ssl/private_keys/puppet.x.org.pem -CAfile /etc/puppetlabs/puppet/ssl/certs/ca.pem CONNECTED(00000005) depth=2 CN = Puppet Root CA: ed17137d0debfe verify return:1 depth=1 CN = Puppet CA: puppet.x.org verify return:1 depth=0 CN = puppet.x.org verify return:1 --- Certificate chain 0 s:CN = puppet.x.org i:CN = Puppet CA: puppet.x.org --- Server certificate -----BEGIN CERTIFICATE----- MIIFxDCCA6ygAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDDCJQdXBw ... -----END CERTIFICATE----- subject=CN = puppet.x.org issuer=CN = Puppet CA: puppet.x.org --- Acceptable client certificate CA names CN = Puppet Root CA: ed17137d0debfe CN = Puppet CA: puppet.x.org Client Certificate Types: ECDSA sign, RSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA- PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA- PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+ SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+ SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+ SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+ SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: DH, 1024 bits --- SSL handshake has read 2606 bytes and written 5355 bytes Verification: OK --- New, TLSv1.2, Cipher is DHE-RSA-AES128-SHA256 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES128-SHA256 Session-ID: F1D1F26Dx... Session-ID-ctx: Master-Key: F64D39x... PSK identity: None PSK identity hint: None SRP username: None Start Time: 1573606413 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- These are the relevant configs: root@puppet:~# /opt/puppetlabs/puppet/bin/puppet config print |egrep '(^ca|^cert|\.pem|db|storeconfigs|fore)' ca_fingerprint = ca_name = Puppet CA: puppet.x.org ca_port = 8140 ca_server = puppet.x.org ca_ttl = 157680000 cacert = /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem cacrl = /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem cadir = /etc/puppetlabs/puppet/ssl/ca cakey = /etc/puppetlabs/puppet/ssl/ca/ca_key.pem capub = /etc/puppetlabs/puppet/ssl/ca/ca_pub.pem catalog_cache_terminus = catalog_terminus = compiler cert_inventory = /etc/puppetlabs/puppet/ssl/ca/inventory.txt certdir = /etc/puppetlabs/puppet/ssl/certs certificate_revocation = chain certname = puppet.x.org hostcert = /etc/puppetlabs/puppet/ssl/certs/puppet.x.org.pem hostcrl = /etc/puppetlabs/puppet/ssl/crl.pem hostcsr = /etc/puppetlabs/puppet/ssl/csr_puppet.x.org.pem hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/puppet.x.org.pem hostpubkey = /etc/puppetlabs/puppet/ssl/public_keys/puppet.x.org.pem localcacert = /etc/puppetlabs/puppet/ssl/certs/ca.pem reports = foreman storeconfigs = false storeconfigs_backend = puppetdb I am using Foreman as well, but merely for viewing agent status, reports, etc. What does '/opt/puppetlabs/puppet/bin/puppet agent -t --debug' show? Looking at the Puppet DB access logs, I see the following 2 request/response pairs: x.x.x.116 - - [12/Nov/2019:19:18:50 -0600] "POST /pdb/cmd/v1?checksum=xxx&version=5&certname=puppettest1.x.org&command=replace_facts&producer-timestamp=2019-11-13T01:18:50.100Z HTTP/1.1" 200 53 "-" "Apache-HttpAsyncClient/4.1.4 (Java/11.0.4)" 6 x.x.x.116 - - [12/Nov/2019:19:18:51 -0600] "POST /pdb/cmd/v1?checksum=xxx&version=9&certname=puppettest1.x.org&command=replace_catalog&producer-timestamp=2019-11-13T01:18:51.829Z HTTP/1.1" 200 53 "-" "Apache-HttpAsyncClient/4.1.4 (Java/11.0.4)" 6 The interesting but here is that the ip address of the client in the puppet db log is the puppet master, not the agent. In my configuration above, i have storeconfigs = false. Maybe this is a difference. Axton On Tuesday, November 12, 2019 at 5:50:09 PM UTC-6, Keyzer Suze wrote: > > Hi > > Did that and mucked around some more and broke it :) so did a yum erase > and cleaned out /etc/puppetlabs directory > > then reinstalled - got r10k working got yaml working and some other things > - packages > > then tried puppetdb, but it keeps failing on ssl test - different this time > > this is what i get from s_client > --- > No client certificate CA names sent > --- > SSL handshake has read 2505 bytes and written 337 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Server public key is 4096 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > B5EA0F1FBF08842917D3CC9340411B1482B2535D958FE72FDE0AE9E36E7C4F34 > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1573602368 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: yes > > > no ciphers !!! > > > this is my setup > # Configure puppetdb and its underlying database > class { 'puppetdb': > manage_package_repo => false, > manage_dbserver => false, > #ssl_protocols => 'TLSv1.1,TLSv1.2', > ssl_protocols => 'TLSv1.2', > listen_address => '0.0.0.0', > manage_firewall => true, > open_listen_port => true, > open_ssl_listen_port => true, > > # disable_ssl => true, > > } > > # Configure the Puppet master to use puppetdb > class { 'puppetdb::master::config': > # puppetdb_disable_ssl => true, > } > > > this is the telling it I think > > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > > > and this is the jetty.ini > cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini > [jetty] > # IP address or hostname to listen for clear-text HTTP. To avoid resolution > # issues, IP addresses are recommended over hostnames. > # Default is `localhost`. > # host = <host> > host = 0.0.0.0 > > # Port to listen on for clear-text HTTP. > port = 8080 > > # The following are SSL specific settings. They can be configured > # automatically with the tool `puppetdb ssl-setup`, which is normally > # ran during package installation. > > # IP address to listen on for HTTPS connections. Hostnames can also be used > # but are not recommended to avoid DNS resolution issues. To listen on all > # interfaces, use `0.0.0.0`. > ssl-host = 0.0.0.0 > > # The port to listen on for HTTPS connections > ssl-port = 8081 > > # Private key path > ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem > > # Public certificate path > ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem > > # Certificate authority path > ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem > > # Access logging configuration path. To turn off access logging > # comment out the line with `access-log-config=...` > access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml > > cipher-suites = > "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" > ssl-protocols = TLSv1.2 > > > I'm guessing the ciphers are wrong or there is something wrong with the > cipher setup ? Maybe It should be a ersa (the certs used for the eliptical > ciphers). or maybe dh params are missing ? I'm not sure - i would have > thought puppetdb would work out the box ! > > also I am using > java -version > openjdk version "11.0.5" 2019-10-15 LTS > OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS) > OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing) > > not jdk8 > > > > > > On Tue, Nov 12, 2019 at 2:06 PM gramsa49 <axton...@gmail.com <javascript:>> > wrote: > >> Check that the cert used by puppetdb matches the puppet ca. >> >> First the Puppet DB: >> >> root@puppettest1:~# openssl s_client -connect puppet:8140 >> CONNECTED(00000005) >> depth=2 CN = Puppet Root CA: ed17137d0debfe >> verify error:num=19:self signed certificate in certificate chain >> --- >> Certificate chain >> 0 s:CN = puppet.x.org >> i:CN = Puppet CA: puppet.x.org >> 1 s:CN = Puppet CA: puppet.x.org >> i:CN = Puppet Root CA: ed17137d0debfe >> 2 s:CN = Puppet Root CA: ed17137d0debfe >> i:CN = Puppet Root CA: ed17137d0debfe >> >> Then the local copy of the Puppet CA cert: >> >> root@puppettest1:~# ll /etc/puppetlabs/puppet/ssl/certs/ca.pem >> -rw-r--r-- 1 root root 3866 Oct 20 22:31 /etc/puppetlabs/puppet/ssl/certs >> /ca.pem >> root@puppettest1:~# openssl x509 -in >> /etc/puppetlabs/puppet/ssl/certs/ca.pem -text -noout >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 2 (0x2) >> Signature Algorithm: sha256WithRSAEncryption >> Issuer: CN = Puppet Root CA: ed17137d0debfe >> Validity >> Not Before: Oct 17 20:04:48 2019 GMT >> Not After : Oct 14 20:04:55 2034 GMT >> Subject: CN = Puppet CA: puppet.x.org >> >> I believe that as long as the certificate used by Puppet DB is issued by >> the Puppet CA, the Puppet Agent will trust the certificate. >> >> Axton >> >> On Sunday, November 10, 2019 at 10:12:03 PM UTC-6, Keyzer Suze wrote: >>> >>> Hi >>> >>> I have just installed a new version of puppet (latest) in to centos 8. >>> >>> when i try and puppet agent --test it fails attempting to connect to >>> puppetdb - unable to verify cert. >>> >>> if i use wget (after i added the puppet ca into the OS root ca bundle) >>> it works >>> >>> where or how to i do the same for ruby ? >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/91467793-a23e-41ec-951f-b3443a1a6b6e%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/91467793-a23e-41ec-951f-b3443a1a6b6e%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/cf8f96da-16a5-4771-9fbe-318b20aebe7e%40googlegroups.com.
