"Connection timed out - connect(2)" when using puppet module

[Torsten Kleiber]

Hi!

 

I try to install modules in puppet, but it gives an error message independent of the module I try to install:

 

myserver:~ # puppet module install rtyler/jenkins

Notice: Preparing to install into /etc/puppet/modules ...

Notice: Downloading from https://forgeapi.puppetlabs.com ...

Error: Could not connect to https://forgeapi.puppetlabs.com

  There was a network communications problem

    The error we caught said 'Connection timed out - connect(2)'

    Check your network connection and try again

 

Kind regards

Torsten

[Torsten Kleiber]

Have nobody a hint?

 

I have set http_proxy and https_proxy.

 

curl -k https://forgeapi.puppetlabs.com is succesful.

 

curl https://forgeapi.puppetlabs.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl

performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

 

 

[jcbollinger]

On Tuesday, June 17, 2014 4:46:47 AM UTC-5, Torsten Kleiber wrote:

Have nobody a hint?

 

I have set http_proxy and https_proxy.

You mean you have set these in your puppet.conf or in your environment?  If the former then which one (file system path) and which section?  Are you running as root or as an unprivileged user?

Puppet uses a personal configuration file (~/.puppet/puppet.conf) when run as non-root, unless you explicitly tell it otherwise (e.g. --confdir /etc/puppet).  I am uncertain whether it honors proxy settings configured in the environment, but it certainly does offer its own proxy configuration configuration parameters.

 

 

curl -k https://forgeapi.puppetlabs.com is succesful.

And that's a useful test, but its success does not necessarily imply that puppet is configured correctly to connect to the same URL from your network.  If indeed you do need to connect via a proxy, then I think your problem likely lies there.

John

[Torsten Kleiber]

 

Am Dienstag, 17. Juni 2014 15:03:20 UTC+2 schrieb jcbollinger:

You mean you have set these in your puppet.conf or in your environment?  If the former then which one (file system path) and which section?  Are you running as root or as an unprivileged user?

 

I run at the moment with root and have set it via export before the call. 

After setting it now in puppet.conf, the error changes similar to curl without -k:

 puppet module install rtyler/jenkins --debug

Notice: Preparing to install into /etc/puppet/modules ...
Notice: Downloading from https://forgeapi.puppetlabs.com ...

Debug: HTTP GET https://forgeapi.puppetlabs.com/v3/releases?module=rtyler-jenkins
Error: Could not connect via HTTPS to https://forgeapi.puppetlabs.com
  Unable to verify the SSL certificate
    The certificate may not be signed by a valid CA
    The CA bundle included with OpenSSL may not be valid or up to date

 

[jcbollinger]

Well you don't really want to trust unverified certificates, certainly not in an automated way.  It sounds like you may need to update your trusted certificate store with one or more new CA certificates.  On a RedHat-family Linux, that probably means updating package "ca-certificates".

For what it's worth, neither Firefox on Windows nor curl (without -k) on CentOS 6.5 complain to me about untrusted SSL certificates when I access that forge URL, and I haven't made any special accommodation for it.


John

[Josh Cooper]

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/caf39dff-7544-4b4b-81de-d0dada0ae9d2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

FYI, after the heartbleed incident we obtained new SSL certificates for all SSL related services, including forgeapi.puppetlabs.com. The new certificate was issued by UserTrustNetwork, and caused problems for the module tool on Windows, because the UserTrustNetwork root is not trusted. See https://tickets.puppetlabs.com/browse/PUP-2365 for more info.

We recently switched back to a GeoTrust Global CA issued certificate, and that may explain why the module tool fails to authenticate the forgeapi for you.

Josh

--

Josh Cooper

Developer, Puppet Labs

Join us at PuppetConf 2014, September 20-24 in San Francisco

Register by July 31st to take advantage of the Early Bird discount —save $249!