unknown message digest algorithm, who can help to explain this issue? thanks a lot!

[Lei Wang]

hello Everyone

 

When I run 'puppetd --test', it is failed, and the error message is unknown message digest algorithm. in the past this command is ok. I do not know what is wrong. 

[root@sjbude813v puppet]# puppetd --server=sjisde193v.corp.webex.com --test

err: Could not retrieve catalog from remote server: unknown message digest algorithm

warning: Not using cache on failed catalog

err: Could not retrieve catalog; skipping run

could you give me some information about this issue?

thanks 

Lei 

[Andy Parker]

Hi Lei,

Most likely this is coming from puppet trying to use a message digest algorithm such as MD5 or SHA1 or SHA256. Most platforms should have those available, but some older OSes don't always have those.

What kind of a system is your master running on? OS, ruby version, and openssl version would be relevant in this case, I think. Also you can try running the master with "--trace" in order to send us some more info about where that error is originating. I did a quick search through our code and didn't find that error message, which makes me think it is coming from an external library (probably openssl).

--
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+...@googlegroups.com.
To post to this group, send email to puppe...@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-dev.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

Andrew Parker

an...@puppetlabs.com

Freenode: zaphod42

Twitter: @aparker42

Software Developer

Join us at PuppetConf 2013, August 22-23 in San Francisco - http://bit.ly/pupconf13
Register now and take advantage of the Final Countdown discount - save 15%!

[Monir Miloudi]

Hi Andrew,

I know this post is a little old but it was the only one with the same issue I'm having.

My specs for my 2 environments (PROD and DEV) are the following :

• PROD
  

master

Name: master_prod.test.lan

Distro: RedHat 6.4 x86_64

Packages: 

-facter-1.7.1-7.1.x86_64

-openssl-1.0.0-27.el6_4.2.x86_64

-puppet-server-3.2.1-2.2.noarch

-ruby-1.8.7.352-12.el6_4.x86_64

slave

Name: slave_prod.test.lan

Distro: RedHat 4.8 AS x86

Packages: 

-facter-1.5.9-1.el4

-openssl-0.9.7a-43.20.el4

-puppet-0.25.6-1.el4

-ruby-1.8.1-18.el4

• DEV
  

master

Name: master_dev.test.lan

Distro: SLES 11 SP2 x86_64

Packages: 

-facter-1.5.2-1.20

-openssl-0.9.8j-0.26.1

-puppet-server-2.7.14-2.1

-ruby-1.8.7.p357-0.7.1

slave

Name: slave_dev.test.lan

Distro: RedHat 4.8 AS x86

Packages: 

-facter-1.5.9-1.el4

-openssl-0.9.7a-43.20.el4

-puppet-0.25.6-1.el4

-ruby-1.8.1-18.el4

My tests :

• PROD
  

slave_prod# puppetd --test --debug

info: Retrieving plugin

debug: Using cached certificate for ca

debug: Using cached certificate for slave_prod.test.lan

err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': unknown message digest algorithm

debug: file_metadata supports formats: marshal pson raw; using pson

err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: unknown message digest algorithm Could not retrieve file metadata for puppet://master_prod.test.lan/plugins: unknown message digest algorithm

debug: Finishing transaction -604802456 with 0 changes

debug: catalog supports formats: marshal pson raw; using pson

err: Could not retrieve catalog from remote server: unknown message digest algorithm

warning: Not using cache on failed catalog

err: Could not retrieve catalog; skipping run

master_prod# # puppet cert --list --all

+ "slave_prod.test.lan"      (SHA256) FB:24:F0:E6:5A:BA:79:1D:9D:9E:97:7A:4C:BF:BE:6A:5C:C5:13:80:18:FB:59:65:DA:F3:FB:A8:80:1A:6F:75

• DEV
  

slave_dev# puppetd --test --debug

info: Retrieving plugin

debug: Using cached certificate for ca

debug: Using cached certificate for slave_dev.test.lan

debug: Using cached certificate_revocation_list for ca

debug: file_metadata supports formats: marshal pson raw; using pson

debug: Finishing transaction -605301928 with 0 changes

debug: catalog supports formats: marshal pson raw; using pson

info: Caching catalog for slave_dev.test.lan

debug: Creating default schedules

debug: Finishing transaction -605659268 with 0 changes

debug: Loaded state in 0.00 seconds

info: Applying configuration version '1392687489'

debug: Finishing transaction -605846618 with 0 changes

debug: Storing state

debug: Stored state in 0.01 seconds

debug: Value of 'preferred_serialization_format' (pson) is invalid for report, using default (marshal)

debug: report supports formats: marshal raw; using marshal

notice: Finished catalog run in 0.14 seconds

master_dev# puppet cert --list --all

+ slave_dev.test.lan        (CB:21:FD:1E:4E:7A:8D:34:33:A8:7D:26:4C:A6:A0:0B)

What puzzles me is the fact that I'm using the same version of Puppet agent, Facter, Ruby and OpenSSL on both agent (RH4 x86) but the agent is working in my DEV environment but not on PROD.

Do you have some pointers to give me regarding my issue ?

Thanks in advance.

Regards,

Monir

[Patrick Carlisle]

On Mon, Feb 17, 2014 at 8:12 PM, Monir Miloudi <mmil...@gmail.com> wrote:

What puzzles me is the fact that I'm using the same version of Puppet agent, Facter, Ruby and OpenSSL on both agent (RH4 x86) but the agent is working in my DEV environment but not on PROD.

Your masters don't have the same OpenSSL version. You list 1.0 for the PROD master but 0.98j for the DEV master. They are also running different major versions of puppet. I think we added SHA256 support in 3.0 and in 3.1 made it fallback to SHA1 when that isn't available. Note that puppet cert lists a much longer digest for PROD with (SHA256) at the beginning. The digest algorithm is not configurable so if you need to run old openssl on your agents then you need to issue your certs from puppet 2.7 (https://tickets.puppetlabs.com/browse/PUP-1146 is the bug about this).

We also don't support running an agent more than one major version older than the master (so you want 2.7+ to run against your 3.0 master).

-Patrick

[Monir Miloudi]

Patrick,

Thanks for your reply but before I try to downgrade my PROD Puppet Master from the 3.x branch to 2.7.x branch, I'd like you to answer me 2 questions if you may :

1. I tried upgrading my PROD Puppet Agent from 0.25 to 2.6 (and even 2.7) but I was still faced with the same issue. Why is that ?
   
2. I thought (maybe wrongfully) that the version of OpenSSL used by Puppet (both agent and master) was the one packaged with Ruby and not the one packaged with the distro. So I tried upgrading Ruby on the DEV Puppet Agent from 1.8.1 to 1.8.5 but still digest issues. Can you explain me why is it happening ?
   

Anyway, thank you for your time.

[Matthaus Owens]

The root cause here is the openssl version. Ruby doesn't ship with its
own openssl, but instead links against openssl. Usually ruby
dynamically links against the openssl available on your system (0.9.7a
for rhel 4, 0.9.8 for sles11 and 1.0.1 for rhel6).

In your PROD environment: The problem is that on the rhel 6 master,
the CA signed its cert with sha256, the default for puppet 3.x and
supported in openssl 1.0.1. The rhel 4 agent then gets the CA public
cert, which was signed using sha256, and its old version of openssl
can't even recognize sha256 as a valid digest format, so it fails with
the error you see.

In your DEV environment: It works because Puppet 2.7 doesn't sign the
ca cert with sha256 by default, so both openssl 0.9.8 on your master
and 0.9.7a on your agent are able to read and verify the cert.

To use an agent with a Puppet 3 master that signs using sha256, you
need to have a version of openssl with sha256 available and enabled
(enabled by default on openssl 0.9.8l and later)[1].

[1]- http://marc.info/?l=openssl-users&m=135355590501495

HTH

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-dev+...@googlegroups.com.

> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-dev/803f2d23-d90d-4fdb-bee8-7e86ecbf57b9%40googlegroups.com.

>
> For more options, visit https://groups.google.com/groups/opt_out.



--

Matthaus Owens
Release Manager, Puppet Labs

Join us at PuppetConf 2014, September 23-24 in San Francisco

[Monir Miloudi]

Thank you for your response.

As a workaround, do you think that using an alternate CA (as described here: http://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html) that is SHA1-compliant would work ?

[Felix Frank]

On 02/19/2014 04:38 PM, Monir Miloudi wrote:
> Thank you for your response.
>
> As a workaround, do you think that using an alternate CA (as described
> here:
> http://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html)
> that is SHA1-compliant would work ?

Hi,

as this thread has fallen silent, I will go ahead and point out that,
yes, this would likely work.

Cheers,
Felix