v3 agent to v4 master ssl issue

Christopher Wood

unread,

Feb 5, 2016, 4:56:14 PM2/5/16

to puppet...@googlegroups.com

I have a puppet 3 agent attempting an agent run against a puppet 4 master but I am getting ssl errors. I'm out of google-fu and I've verified certs and keys, run both sides in debug using puppetserver and the rack "puppet master --no-daemonize --verbose", and am not seeing anything that jumps out at me. I do notice that when running in DEBUG the puppetserver log doesn't spit output during the agent run.

The closest I can get to understanding this is stackoverflow, but I'm not sure how I would tell the agent to use TLSv1.2.

http://stackoverflow.com/questions/25814210/opensslsslsslerror-ssl-connect-syscall-returned-5-errno-0-state-sslv3-read

Any hints on what these ssl errors are from and how I can fix this?

SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A

[root@mail10c2 ~]# puppet --version
3.8.5
[root@mail10c2 ~]# cat /etc/redhat-release
CentOS release 6.7 (Final)
[root@mail10c2 ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

[root@puppetmaster1stage ~]# rpm -q puppetserver
puppetserver-2.2.1-1.el6.noarch
[root@puppetmaster1stage ~]# /opt/puppetlabs/bin/puppet --version
4.3.2
[root@puppetmaster1stage ~]# cat /etc/redhat-release
CentOS release 6.7 (Final)
[root@puppetmaster1stage ~]# /opt/puppetlabs/puppet/bin/openssl version
OpenSSL 1.0.2e 3 Dec 2015

I've verified the hostcert, hostpubkey, and localcacert as definitely belonging to each other using openssl. These files exist at the paths from "puppet config print". The localcacert is definitely the CA cert that both server and client use, by md5sum.

This is the output (that is definitely the --server in the server cert):

[root@mail10c2 util]# puppet agent --onetime --verbose --no-daemonize --no-splay --server puppetmaster1stage
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppetmaster1stage/pluginfacts: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppetmaster1stage/plugins: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A

Christopher Wood

unread,

Feb 11, 2016, 5:03:05 PM2/11/16

to puppet...@googlegroups.com

Update is that I still don't know why this happened, but I know what I should not do when I go to convert the production puppetmasters.

I have a set of 3.8.5 masters and was attempting to bring up a 4.3.2 master (puppetserver 2.2.1, puppet-agent 1.3.4) as a non-CA master to test things with. A 3.8.5 agent got these errors when trying to use a server=4.3.2 with ca_server=3.8.5 set of puppetmaster versions.

My 3.8.5 agent worked fine against the 4.3.2 master with a completely new CA, and with the new master acting as a CA with the 3.8.5 CA's ssl files. Using a 3.8.5 non-CA master with the 4.3.2 CA server works too.

The upshot is that when I convert the puppetmasters to puppet 4 I will need to convert the CA first and work outward from there (other puppetmasters at that location, rest of the puppetmasters, then the agents).

(Feel free to add more clue than I can provide, anybody.)

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20160205215603.GA24864%40iniquitous.heresiarch.ca.
> For more options, visit https://groups.google.com/d/optout.

Felix Frank

unread,

Feb 17, 2016, 4:23:08 PM2/17/16

to puppet...@googlegroups.com

Hi Christopher,

I have no first hand experience with this transition, but Martin put a
note about SSL in the Puppet 4 chapter of the new Puppet Essentials
(yes, I'm plugging us :-)

Apparently Puppet 4 cannot use a CA that was created without the
dns_alt_names setting. This might just be your issue. And yes, you will
have to re-certify your infrastructure for the upgrade if this is the case.

Cheers,
Felix

Christopher Wood

unread,

Feb 19, 2016, 3:54:54 PM2/19/16

to puppet...@googlegroups.com

I checked, the CA in use on my puppet4/puppetserver installation definitely has no subjectAltName extension and a puppet4 agent works.

In all likelihood I messed up something in the config.

> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/56C4E4C7.7040608%40Alumni.TU-Berlin.de.

warron.french

unread,

Feb 19, 2016, 7:26:14 PM2/19/16

to puppet...@googlegroups.com

HI Christopher, is either certain invalid/expired? I don't know the typical certificate lifespan.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20160219205442.GA20961%40iniquitous.heresiarch.ca.

Christopher Wood

unread,

Feb 20, 2016, 10:58:15 PM2/20/16

to puppet...@googlegroups.com

None of the certs are expired, I just checked.

Hopefully we will have puppet4 puppetservers in a few weeks and all this will be behind me.

On Fri, Feb 19, 2016 at 07:26:06PM -0500, warron.french wrote:
> HI Christopher, is either certain invalid/expired? I don't know the
> typical certificate lifespan.
>
> On Feb 19, 2016 3:54 PM, "Christopher Wood"

> >>[2]http://stackoverflow.com/questions/25814210/opensslsslsslerror-ssl-connect-syscall-returned-5-errno-0-state-sslv3-read

> send an email to [3]puppet-users...@googlegroups.com.

> > >>To view this discussion on the web visit

> [4]https://groups.google.com/d/msgid/puppet-users/20160205215603.GA24864%40iniquitous.heresiarch.ca.
> > >>For more options, visit [5]https://groups.google.com/d/optout.

> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send

> an email to [6]puppet-users...@googlegroups.com.

> > To view this discussion on the web visit

> [7]https://groups.google.com/d/msgid/puppet-users/56C4E4C7.7040608%40Alumni.TU-Berlin.de.
> > For more options, visit [8]https://groups.google.com/d/optout.

>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send

> an email to [9]puppet-users...@googlegroups.com.

> To view this discussion on the web visit

> [10]https://groups.google.com/d/msgid/puppet-users/20160219205442.GA20961%40iniquitous.heresiarch.ca.
> For more options, visit [11]https://groups.google.com/d/optout.

>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to [12]puppet-users...@googlegroups.com.

> To view this discussion on the web visit

Reply all

Reply to author

Forward