[Puppet Users] Re: PuppetDB : unable to upgrade 6.5 to 6.9 => SSL errors

Tue, 28 Apr 2020 00:03:55 -0700 

Hello,

Thank you for your reply. My PuppetDB is installed and managed by puppetdb 
puppet module, and I didn't change the certificates since its installation 
years ago (Still valid for one year though).
I will have a try with puppetdb ssl-setup later today.

What I have noticed with openssl, before and after the upgrade to 6.9, 
there are a few different Ciphers used.

echo QUIT | openssl s_client -connect puppetdb:8081 -host puppetdb -port 
8081 -CAfile /etc/puppetlabs/puppet/ssl/certs/ca.pem -status -state 
-showcerts 2>&1

diff -u s_client.65 s_client.69 
--- s_client.65 2020-04-27 16:54:53.887179070 +0200 
+++ s_client.69 2020-04-27 16:59:36.347189451 +0200 
@@ -16,7 +16,7 @@ 
SSL_connect:SSLv3/TLS write finished 
SSL3 alert read:fatal:bad certificate 
SSL_connect:error in error 
-139851809683264:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert 
bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42 
+139950036502336:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert 
bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42 
CONNECTED(00000003) 
OCSP response: no response sent 
--- 
@@ -69,12 +69,12 @@ 
Shared Requested Signature Algorithms: 
ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
 

Peer signing digest: SHA256 
Peer signature type: RSA 
-Server Temp Key: ECDH, P-256, 256 bits 
+Server Temp Key: DH, 1024 bits 
--- 
-SSL handshake has read 2217 bytes and written 499 bytes 
+SSL handshake has read 2411 bytes and written 539 bytes 
Verification: OK 
--- 
-New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA 
+New, TLSv1.2, Cipher is DHE-RSA-AES128-GCM-SHA256 
Server public key is 4096 bit 
Secure Renegotiation IS supported 
Compression: NONE 
@@ -82,14 +82,14 @@ 
No ALPN negotiated 
SSL-Session: 
    Protocol  : TLSv1.2 
-    Cipher    : ECDHE-RSA-AES256-SHA 
-    Session-ID: 
5EA6F235228812A1D39268BEA73CA0538FBD9DB65BDBFE0B2A7B620D619608CF 
+    Cipher    : DHE-RSA-AES128-GCM-SHA256 
+    Session-ID: 
5EA6F33E2ED8579BEF57A377556A369D4E2194D1E009250BCE0D972002D4D0C1 
    Session-ID-ctx:  
-    Master-Key: 
1B3E5AF06F394B30E32D5E957D0F9FC8270C19FCB6BE32FCB27B51E310F2C735F1C0E4AFE4DBFD98A67F53F945C34967
 
+    Master-Key: 
851F2F19D603D607DB9410ED5E945A76AF1408AE8692D4A4AB8A46598C88F9CF82E19748B411C5C0CB33731E856B1681
 
    PSK identity: None 
    PSK identity hint: None 
    SRP username: None 
-    Start Time: 1587999285 
+    Start Time: 1587999550 
    Timeout   : 7200 (sec) 
    Verify return code: 0 (ok) 
    Extended master secret: yes

But we can clearly see the "verify" is ok on 6.9 as well
...
verify return:1
...

Yvan

On Tuesday, April 28, 2020 at 1:48:36 AM UTC+2, comport3 wrote:
>
> "Redo SSL setup after changing certificates 
>
> If you’ve recently changed the certificates in use by the PuppetDB server, 
> you’ll also need to update the SSL configuration for PuppetDB itself.
>
> If you’ve installed PuppetDB from Puppet packages, you can simply re-run 
> the puppetdb ssl-setup command. Otherwise, you’ll need to again perform 
> the SSL configuration steps outlined in the installation instructions 
> <https://puppet.com/docs/puppetdb/latest/install_from_source.html>."
> https://puppet.com/docs/puppetdb/latest/maintain_and_tune.html
>
>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6380dbad-98a3-471c-b265-003991ff978e%40googlegroups.com.

Reply via email to