Windows puppet agent SSL cert revocation woes.

[Charlie Baum]

I have 8 or 9 Windows 2012 servers with latest puppet client 3.4.3.  Out of those, 4 of them have experienced issues with the SSL cert.  Here is what my event log contains: (each line is a different entry in the event log, all within about 1.5 seconds)

Unable to fetch my node definition, but the agent run will continue:

SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked

/File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked

/File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Could not retrieve file metadata for puppet://autopuppet.sys.comcast.net/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked

Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked

This is very frustrating for a product I would like to put into production.  I have searched and found resolutions to this issue, but can't find a discussion on the root cause.  Is it a crappy Windows agent?  Bug/issue on the puppet master side?  How can I avoid this from happening all over my prod environment if I go that route?

[jcbollinger]

These errors are all reporting the same thing: that the agent's SSL certificate has been revoked.  To the best of my knowledge -- and I have looked -- base Puppet contains no internal mechanism for automatically revoking certificates.  Therefore, I am inclined to suspect that the certificates are being revoked by some external actor, either a person or an external automated process.  If you are using PE, though, then "external" could mean "among the proprietary pieces of the overall product".

With that said, there was another recent thread complaining about unexpected certificate revocations: https://groups.google.com/forum/#!searchin/puppet-users/certificate$20revoked/puppet-users/UYM3fouDGVE/zehQy4nW0dUJ.  No cause was ever reported there, but perhaps it was related.

The bottom line is that I don't think we can tell you at this point what the nature of the problem is.  It is not a known flaw in Puppet, but that doesn't necessarily mean that Puppet is not responsible.  My apologies for being unable to be more definitive.


John

[Rob Reynolds]

On Mon, Apr 7, 2014 at 4:57 PM, Charlie Baum <charl...@gmail.com> wrote:

I have 8 or 9 Windows 2012 servers with latest puppet client 3.4.3.  Out of those, 4 of them have experienced issues with the SSL cert.  Here is what my event log contains: (each line is a different entry in the event log, all within about 1.5 seconds)

Unable to fetch my node definition, but the agent run will continue:

SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked

/File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked

/File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Could not retrieve file metadata for puppet://autopuppet.sys.comcast.net/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked

Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked

Is the cert actually revoked on the master? If one exists, then it could be you created it from a non-privileged user and then later tried to connect with a privileged user. If you have a certificate already created and accepted from a non-privileged user, when the privileged user attempts to connect, it is going to attempt to send a new certificate request (due to ~/.puppet/etc/ssl versus c:/ProgramData/PuppetLabs/puppet/etc/ssl). The non-privileged user doesn't have access to programdata, so the request happens from another location it does have access to.

Let's start there.

 

This is very frustrating for a product I would like to put into production.  I have searched and found resolutions to this issue, but can't find a discussion on the root cause.  Is it a crappy Windows agent?  Bug/issue on the puppet master side?  How can I avoid this from happening all over my prod environment if I go that route?

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/031c8459-ffdf-4cf0-b7f6-144d3aa43424%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Rob Reynolds

Developer, Puppet Labs

Join us at PuppetConf 2014, September 23-24 in San Francisco - http://puppetconf.com