| ran "puppetdb ssl-setup" and then tried to verify the SSL connectivity after doing "systemctl start puppetdb" (centos 8.1). (there is no "CentOS 8" in either agent-os or master-os.) openssl's s_client program reports that the DH key is too small and fails to verify the certificate, e.g:
- openssl s_client -connect puppetdb:8081
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = host.name
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = host.name
verify error:num=21:unable to verify the first certificate
verify return:1
140169246222144:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:ssl/statem/statem_clnt.c:2150:
—
Certificate chain
0 s:CN = host.name
i:CN = Puppet CA: host.name
—
Server certificate
----BEGIN CERTIFICATE----
... ----END CERTIFICATE----
subject=CN = host.name issuer=CN = Puppet CA: host.name —
No client certificate CA names sent
—
SSL handshake has read 2607 bytes and written 306 bytes
Verification error: unable to verify the first certificate
—
New, (NONE), Cipher is (NONE)
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: 5EB8A662CB4DC70C91FF81A0B2EFD7F1960DF94CFA4FCD953751EEF586F5DD86
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1589159522
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
— |
