Jira (PDB-4513) puppetserver fails to connect to puppetdb 6.6.0

[Vadym Chepkov (JIRA)]

Vadym Chepkov created an issue

PuppetDB / PDB-4513 puppetserver fails to connect to puppetdb 6.6.0 Issue Type: Bug Affects Versions: PDB 6.6.0 Assignee: Unassigned Components: PuppetDB Created: 2019/09/24 5:15 PM Priority: Normal Reporter: Vadym Chepkov Fresh install with the following components puppet-agent-6.9.0-1.el7.x86_64 puppetserver-6.6.0-1.el7.noarch puppetdb-6.6.0-1.el7.noarch puppetdb-termini-6.6.0-1.el7.noarch puppet server fails to connect to puppetdb and compile a catalog ``` puppet agent -t Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for master.localdomain: Failed to find facts from PuppetDB at master.localdomain:8140: Failed to execute '/pdb/query/v4/nodes/master.localdomain/facts' on at least 1 of the following 'server_urls': https://master.localdomain:8081 Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Loading facts Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed to execute '/pdb/cmd/v1?checksum=cff02e6fb7cbf363fd52eac951b5c42e09a0718a&version=5&certname=master.localdomain&command=replace_facts&producer-timestamp=2019-09-25T00:14:42.328Z' on at least 1 of the following 'server_urls': https://master.localdomain:8081 Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run ``` Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Vadym Chepkov (JIRA)]

Vadym Chepkov updated an issue

PuppetDB / PDB-4513 puppetserver fails to connect to puppetdb 6.6.0

Change By: Vadym Chepkov Attachment: puppetserver.log

Add Comment

[Austin Blatt (JIRA)]

Austin Blatt commented on PDB-4513

Re: puppetserver fails to connect to puppetdb 6.6.0 This might be better addressed by a Puppet Server ticket, but I think your problem is Puppet Server can't read/write the CRL file. 2019-09-25T00:03:32.634Z ERROR [async-dispatch-2] [p.p.certificate-authority] Unable to synchronize crl file /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem to /etc/puppetlabs/puppet/ssl/crl.pem: /etc/puppetlabs/puppet/ssl/crl.pem (Permission denied){{}}

Add Comment

[Vadym Chepkov (JIRA)]

Vadym Chepkov commented on PDB-4513

Re: puppetserver fails to connect to puppetdb 6.6.0

I saw this error, but I think it was corrected later and files is readable by everyone: ``` [root@master ~]# ls -l /etc/puppetlabs/puppet/ssl/crl.pem rw-rr-. 1 puppet puppet 1938 Sep 27 01:00 /etc/puppetlabs/puppet/ssl/crl.pem ```

Add Comment

[Vadym Chepkov (JIRA)]

Vadym Chepkov commented on PDB-4513

Re: puppetserver fails to connect to puppetdb 6.6.0

The reason I think it's puppetdb, is because downgrading packages immediately solves the problem: [root@master ~]# puppet agent -t Info: Using configured environment 'production'

Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Loading facts

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed to execute '/pdb/cmd/v1?checksum=ba3cbb646f965c885fdc8f218535fd81efceb727&version=5&certname=master.localdomain&command=replace_facts&producer-timestamp=2019-09-27T01:16:46.153Z' on at least 1 of the following 'server_urls': https://master.localdomain:8081

Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run

[root@master ~]# yum downgrade puppetdb puppetdb-termini -y Loaded plugins: fastestmirror Determining fastest mirrors epel/x86_64/metalink | 17 kB 00:00:00 * base: mirror.cogentco.com * epel: iad.mirror.rackspace.com * extras: mirror.cogentco.com * updates: mirror.cogentco.com base | 3.6 kB 00:00:00 choria_release | 1.0 kB 00:00:00 epel | 5.4 kB 00:00:00 extras | 2.9 kB 00:00:00 puppet6 | 2.5 kB 00:00:00 updates | 2.9 kB 00:00:00 yum.postgresql.org | 3.6 kB 00:00:00 (1/10): base/7/x86_64/group_gz | 165 kB 00:00:00 (2/10): epel/x86_64/group_gz | 88 kB 00:00:00 (3/10): epel/x86_64/updateinfo | 1.0 MB 00:00:00 (4/10): extras/7/x86_64/primary_db | 152 kB 00:00:00 (5/10): puppet6/x86_64/primary_db | 178 kB 00:00:00 (6/10): yum.postgresql.org/7/x86_64/group_gz | 249 B 00:00:00 (7/10): updates/7/x86_64/primary_db | 1.1 MB 00:00:00 (8/10): base/7/x86_64/primary_db | 6.0 MB 00:00:01 (9/10): yum.postgresql.org/7/x86_64/primary_db | 378 kB 00:00:00 (10/10): epel/x86_64/primary_db | 6.8 MB 00:00:01 choria_release/7/x86_64/primary | 8.6 kB 00:00:01 choria_release 68/68 Resolving Dependencies --> Running transaction check ---> Package puppetdb.noarch 0:6.5.0-1.el7 will be a downgrade ---> Package puppetdb.noarch 0:6.6.0-1.el7 will be erased ---> Package puppetdb-termini.noarch 0:6.5.0-1.el7 will be a downgrade ---> Package puppetdb-termini.noarch 0:6.6.0-1.el7 will be erased --> Finished Dependency Resolution   Dependencies Resolved   ====================================================================================================================================================================================== Package Arch Version Repository Size ====================================================================================================================================================================================== Downgrading: puppetdb noarch 6.5.0-1.el7 puppet6 40 M puppetdb-termini noarch 6.5.0-1.el7 puppet6 23 k   Transaction Summary ====================================================================================================================================================================================== Downgrade 2 Packages   Total download size: 40 M Downloading packages: (1/2): puppetdb-termini-6.5.0-1.el7.noarch.rpm | 23 kB 00:00:00 (2/2): puppetdb-6.5.0-1.el7.noarch.rpm | 40 MB 00:00:07 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 5.4 MB/s | 40 MB 00:00:07 Running transaction check Running transaction test Transaction test succeeded Running transaction usermod: no changes Installing : puppetdb-6.5.0-1.el7.noarch 1/4 Config archive not found. Not proceeding with migration PEM files in /etc/puppetlabs/puppetdb/ssl already exists, checking integrity. Setting ssl-host in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-port in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-key in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-ca-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Installing : puppetdb-termini-6.5.0-1.el7.noarch 2/4 Cleanup : puppetdb-6.6.0-1.el7.noarch 3/4 Cleanup : puppetdb-termini-6.6.0-1.el7.noarch 4/4 Verifying : puppetdb-termini-6.5.0-1.el7.noarch 1/4 Verifying : puppetdb-6.5.0-1.el7.noarch 2/4 Verifying : puppetdb-termini-6.6.0-1.el7.noarch 3/4 Verifying : puppetdb-6.6.0-1.el7.noarch 4/4   Removed: puppetdb.noarch 0:6.6.0-1.el7 puppetdb-termini.noarch 0:6.6.0-1.el7   Installed: puppetdb.noarch 0:6.5.0-1.el7 puppetdb-termini.noarch 0:6.5.0-1.el7   Complete!   [root@master ~]# puppet agent -t Info: Using configured environment 'production'

Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Loading facts

Info: Caching catalog for master.localdomain Info: Applying configuration version 'f8eb324' Notice: /Stage[main]/Puppetdb::Server::Global/File[/etc/puppetlabs/puppetdb/conf.d/config.ini]/owner: owner changed 'root' to 'puppetdb' (corrective) Notice: /Stage[main]/Puppetdb::Server::Global/File[/etc/puppetlabs/puppetdb/conf.d/config.ini]/group: group changed 'root' to 'puppetdb' (corrective) Notice: /Stage[main]/Puppetdb::Server::Global/File[/etc/puppetlabs/puppetdb/conf.d/config.ini]/mode: mode changed '0644' to '0600' (corrective) Info: Class[Puppetdb::Server::Global]: Scheduling refresh of Service[puppetdb] Notice: /Stage[main]/Puppetdb::Server/Service[puppetdb]: Triggered 'refresh' from 1 event Warning: Puppet::SSL::Host is deprecated and will be removed in a future release of Puppet. (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/host.rb:235:in `initialize') Notice: Applied catalog in 22.08 seconds

Add Comment

[Benjamin Rechsteiner (JIRA)]

Benjamin Rechsteiner commented on PDB-4513

Re: puppetserver fails to connect to puppetdb 6.6.0

we have exact the same problem on debian 9: puppetdb 6.6.0-1stretch puppetdb-termini 6.6.0-1stretch puppetserver 6.6.0-1stretch a downgrad to puppetdb 6.5.0 solved also our problem

Add Comment

[Nick Maludy (JIRA)]

Nick Maludy commented on PDB-4513

Re: puppetserver fails to connect to puppetdb 6.6.0

Same problem here on RHEL 7.7 Downgrade to 6.5.0 solved our problem as well.   We were seeing SSL errors in the puppetserver logs: 2019-09-29T21:54:48.644-04:00 ERROR [qtp235516197-38] [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request javax.net.ssl.SSLException: Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615) at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781) at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:273) at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:328) at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509) at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) at java.lang.Thread.run(Thread.java:748) 2019-09-29T21:54:48.649-04:00 WARN [qtp235516197-38] [puppetserver] Puppet Error connecting to hostanme.domain.tld on 8081 at route /pdb/query/v4/nodes/hostname.domain.tld/facts, error message received was 'Error executing http request'. Failing over to the next PuppetDB server_url in the 'server_urls' list

Add Comment

[Austin Blatt (JIRA)]

Austin Blatt commented on PDB-4513

Re: puppetserver fails to connect to puppetdb 6.6.0

Ok, I wonder if by chance we don't have the right cipher suites for puppetserver in 6.6.0. Here's the puppetdb docs for that settings https://puppet.com/docs/puppetdb/latest/configure.html#cipher-suites. Below is the list of cipher-suites that puppetserver allows in 6.6.0, can someone who hits this problem copy the list and set the cipher-suites settings manually for PuppetDB (while using 6.6.0 for all three components)? If is is a problem with our cipher-suites settings, I would expect this configuration change to eliminate the error entirely. Note that the list below is not ini format, which is a comma separated string. cipher-suites: [ "SSL_CK_DES_192_EDE3_CBC_WITH_SHA" "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" "TLS_RSA_WITH_AES_256_CBC_SHA256" "TLS_RSA_WITH_AES_256_CBC_SHA" "TLS_RSA_WITH_AES_128_CBC_SHA256" "TLS_RSA_WITH_AES_128_CBC_SHA" ]

Add Comment

[Vadym Chepkov (JIRA)]

Vadym Chepkov commented on PDB-4513

Re: puppetserver fails to connect to puppetdb 6.6.0

Yep, that solved it for me. BTW, puppetlabs/puppetdb module should really have `cipher_suites` as an array

Add Comment

[Austin Blatt (JIRA)]

Austin Blatt commented on PDB-4513

Re: puppetserver fails to connect to puppetdb 6.6.0

Thanks, I'll get a PR up the fix PuppetDB's defaults, but glad to know there a workaround in place. And yep, I agree having to specify a list as a single string is awful, I'll make a ticket for that.

Add Comment

[Austin Blatt (JIRA)]

Austin Blatt updated an issue

PuppetDB / PDB-4513

puppetserver fails to connect to puppetdb 6.6.0

Change By: Austin Blatt Affects Version/s: PDB 6.7.0

Add Comment

[Vadym Chepkov (JIRA)]

Vadym Chepkov commented on PDB-4513

Re: puppetserver fails to connect to puppetdb 6.6.0 Seems puppetserver has a smaller subset configured, this works for me puppetdb::server::cipher_suites: 'TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA'

Add Comment

[Austin Blatt (JIRA)]

Austin Blatt updated an issue

PuppetDB / PDB-4513

puppetserver fails to connect to puppetdb 6.6.0

Change By: Austin Blatt

Fresh install with the following components puppet-agent-6.9.0-1.el7.x86_64 puppetserver-6.6.0-1.el7.noarch puppetdb-6.6.0-1.el7.noarch puppetdb-termini-6.6.0-1.el7.noarch

puppet server fails to connect to puppetdb and compile a catalog ``` {code} # puppet agent -t

Warning: Unable to fetch my node definition, but the agent run will continue:

Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for master.localdomain: Failed to find facts from PuppetDB at master.localdomain:8140: Failed to execute '/pdb/query/v4/nodes/master.localdomain/facts' on at least 1 of the following 'server_urls': https://master.localdomain:8081

Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Loading facts

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed to execute '/pdb/cmd/v1?checksum=cff02e6fb7cbf363fd52eac951b5c42e09a0718a&version=5&certname=master.localdomain&command=replace_facts&producer-timestamp=2019-09-25T00:14:42.328Z' on at least 1 of the following 'server_urls': https://master.localdomain:8081

Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run

``` {code} *Workaround* The workaround is to manually set PuppetDB's [{{cipher-suites}}|https://puppet.com/docs/puppetdb/latest/configure.html#cipher-suites] setting to the following list

Add Comment

[Austin Blatt (JIRA)]

{code} cipher-suites="SSL_CK_DES_192_EDE3_CBC_WITH_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" {code}

Add Comment

[Austin Blatt (JIRA)]

Austin Blatt updated an issue

PuppetDB / PDB-4513 puppetserver fails to connect to puppetdb 6.6.0

Change By: Austin Blatt Fix Version/s: PDB 6.7.1

Add Comment

[Austin Blatt (JIRA)]

Austin Blatt assigned an issue to Austin Blatt

PuppetDB / PDB-4513 puppetserver fails to connect to puppetdb 6.6.0

Change By: Austin Blatt Assignee: Austin Blatt

Add Comment

[Austin Blatt (JIRA)]

Austin Blatt updated an issue

PuppetDB / PDB-4513 puppetserver fails to connect to puppetdb 6.6.0

Change By: Austin Blatt Release Notes Summary: PuppetDB 6.6.0 was released with a restricted set of cipher suites that could prevent connecting to Puppet Server on using TLSv1.0 and TLSv1.1. This restores the cipher suites required to connect to Puppet Server on those older TLS versions.

Add Comment

[Austin Blatt (JIRA)]

Austin Blatt updated an issue

PuppetDB / PDB-4513 puppetserver fails to connect to puppetdb 6.6.0

Change By: Austin Blatt Release Notes Summary: PuppetDB 6. 5 6 .0 was released with a restricted set of cipher suites that could prevent connecting to Puppet Server on TLSv1.0 and TLSv1.1. This restores the cipher suites required to connect to Puppet Server on those older TLS versions.

Add Comment

[Heston Hoffman (JIRA)]

Heston Hoffman updated an issue

PuppetDB / PDB-4513 puppetserver fails to connect to puppetdb 6.6.0

Change By: Heston Hoffman Labels: resolved-issue-added

Add Comment

[Austin Blatt (JIRA)]

Austin Blatt commented on PDB-4513

Re: puppetserver fails to connect to puppetdb 6.6.0 PuppetDB 6.7.1 has just been released. The default list in the jetty.ini conf file shipped with the PuppetDB packages is what I listed above, excluding the first cipher, SSL_CK_DES_192_EDE3_CBC_WITH_SHA, which is an SSLv3 cipher. If you are still using SSLv3, I first ask that you consider upgrading to TLS. If you still want to continue using SSLv3 you'll need to ensure the above SSL cipher is added to the list.

Add Comment

[Yvan Broccard (Jira)]

Yvan Broccard commented on PDB-4513

Re: puppetserver fails to connect to puppetdb 6.6.0

I had exactly the same problem, upgrading from PuppetDB 6.5 to 6.9. After strugging with this for days and reproducing the problem with the Ciphers, I solved the problem in upgrading to Java 11, and then  ... poof, no more problem. No need to fight with the ciphers if you use a more recent version of Java. It seems. Maybe a line in the release note about the version of java would have helped. I was using java-1.7.0-openjdk. Now I've replaced it with java-11-openjdk Cheers Yvan

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Yvan Broccard (Jira)]

Yvan Broccard updated an issue

PuppetDB / PDB-4513

puppetserver fails to connect to puppetdb 6.6.0

Change By: Yvan Broccard Comment:

I had exactly the same problem, upgrading from PuppetDB 6.5 to 6.9. After strugging with this for days and reproducing the problem with the Ciphers, I solved the problem in upgrading to Java 11, and then  ... poof, no more problem. No need to fight with the ciphers if you use a more recent version of Java. It seems. Maybe a line in the release note about the version of java would have helped. I was using java-1.7.0-openjdk. Now I've replaced it with java-11-openjdk Cheers Yvan

Add Comment