SSL_read:: shutdown while in init error

496 visningar
Hoppa till det första olästa meddelandet

Maxim Nikolaev

oläst,
9 okt. 2017 07:48:092017-10-09
till Puppet Users
Hi

I'm using puppet agent 3.8.7 with puppetserver 2.8. Everything worked fine for long period.
This week we set update on openssl (version openssl-1.0.2k-7.103.amzn1.x86_6).
After that we started to get errors on puppet run:

Error: Could not set 'file' on ensure: SSL_read:: shutdown while in init

Error: Could not retrieve catalog from remote server: SSL_read:: shutdown while in init

I tried to play with pupptserver and puppet agent config.

Added http_keepaalive_timout and set larger body-max-size. 

This resolve issue on existing servers. But each time I run puppet first time - I see this again.
For ex, when I try to create Packer image - it always fail, because of this errors.

I've looked for similar errors, but find nothing.

Have someone experienced same problem?

Thanks.

Vishal Bhalla

oläst,
12 okt. 2017 10:39:542017-10-12
till Puppet Users
Yup - we are seeing similar problems.

After our client Amazon Linux boxes updated to latest OpenSSL (SL 1.0.2k-fips  26 Jan 2017) we now see 

Error: SSL_read:: shutdown while in init

On puppet runs. Only way we could work around it was to perform a yum rollback :(

This email was sent by a company owned by Financial Times Group Limited ("FT Group"), registered office at Number One Southwark Bridge, London SE1 9HL.  Registered in England and Wales with company number 879531. This e-mail may contain confidential information. If you are not the intended recipient, please notify the sender immediately, delete all copies and do not distribute it further.  It could also contain personal views which are not necessarily those of the FT Group.  We may monitor outgoing or incoming emails as permitted by law.

Peter Souter

oläst,
19 okt. 2017 00:07:432017-10-19
till Puppet Users
Hi folks, I saw Vishal's question over on StackOverflow, and googling it came back to here!

I answered Vishal over on SO, but thought I'd post it here for Maxim also and close the loop:

It seems like there was a breaking change brought in when updating the OpenSSL package with older Puppet 3. Puppet 3 itself is EOL since December of 2016, so I recommend you update to Puppet 4 or even 5, which came out this year.

Another benefit: Puppet 4 and onward bundles it's own openssl, so you don't have to worry about breaking Puppet when upgrading openssl (See puppet-agent: What is it, and what's in it?)

You can do so with my helper script:

wget -O - https://raw.githubusercontent.com/petems/puppet-install-shell/master/install_puppet_agent.sh | sudo sh

Or manually:

Puppet 5

rpm -ivh http://yum.puppetlabs.com/puppet5/puppet5-release-el-6.noarch.rpm
yum install puppet-agent -y

Puppet 4

rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-pc1-el-6.noarch.rpm
yum install puppet-agent -y
Svara alla
Svara författaren
Vidarebefordra
0 nya meddelanden