"decryption failed or bad record mac" errors
1,376 views
Skip to first unread message
maill...@gmail.com
Jun 11, 2012, 2:34:15 PM6/11/12
to puppet...@googlegroups.com
I inherited an old installation (0.24) that's been trouble-free until
recently, when I started getting these error messages from a single
machine:
Failed to retrieve current state of resource: Certificates were not
trusted: SSL_read:: decryption failed or bad record mac Could not
describe /tomcat/ROOT.xml: Certificates were not trusted: SSL_read::
decryption failed or bad record mac
I don't find evidence of a hardware problem on the machine. The next
puppet run succeeds; the problem happens once every few days. Anyone
have pointers on how to troubleshoot this or ideas on what the issue
could be?
recently, when I started getting these error messages from a single
machine:
Failed to retrieve current state of resource: Certificates were not
trusted: SSL_read:: decryption failed or bad record mac Could not
describe /tomcat/ROOT.xml: Certificates were not trusted: SSL_read::
decryption failed or bad record mac
I don't find evidence of a hardware problem on the machine. The next
puppet run succeeds; the problem happens once every few days. Anyone
have pointers on how to troubleshoot this or ideas on what the issue
could be?
Jeff McCune
Jun 11, 2012, 3:44:39 PM6/11/12
to puppet...@googlegroups.com
[1], not the media access control address [2].
How is your puppet master configured? Have any recent software
updates changed the OpenSSL libraries on your systems?
[1] http://en.wikipedia.org/wiki/Message_authentication_code
[2] http://en.wikipedia.org/wiki/MAC_address
-Jeff
maill...@gmail.com
Jun 11, 2012, 3:59:53 PM6/11/12
to puppet...@googlegroups.com
:
>> I inherited an old installation (0.24) that's been trouble-free until
>> recently, when I started getting these error messages from a single
>> machine:
>>
>> Failed to retrieve current state of resource: Certificates were not
>> trusted: SSL_read:: decryption failed or bad record mac Could not
>> describe /tomcat/ROOT.xml: Certificates were not trusted: SSL_read::
>> decryption failed or bad record mac
>>
--snip--
>> I inherited an old installation (0.24) that's been trouble-free until
>> recently, when I started getting these error messages from a single
>> machine:
>>
>> Failed to retrieve current state of resource: Certificates were not
>> trusted: SSL_read:: decryption failed or bad record mac Could not
>> describe /tomcat/ROOT.xml: Certificates were not trusted: SSL_read::
>> decryption failed or bad record mac
>>
>
> This error is probably referring to the message authentication code
> [1], not the media access control address [2].
>
> How is your puppet master configured? Have any recent software
> updates changed the OpenSSL libraries on your systems?
>
> [1] http://en.wikipedia.org/wiki/Message_authentication_code
> [2] http://en.wikipedia.org/wiki/MAC_address
>
> -Jeff
Thanks for that. I did not know about the Message Authentication Code,
> This error is probably referring to the message authentication code
> [1], not the media access control address [2].
>
> How is your puppet master configured? Have any recent software
> updates changed the OpenSSL libraries on your systems?
>
> [1] http://en.wikipedia.org/wiki/Message_authentication_code
> [2] http://en.wikipedia.org/wiki/MAC_address
>
> -Jeff
which makes sense in this case.
Nothing has changed on these machines for years and I just verified
that nothing has recently been updated. I'm still digging around the
logs, nothing jumps out yet.
Jeff McCune
Jun 11, 2012, 4:50:39 PM6/11/12
to puppet...@googlegroups.com
It could be your CA certificate has expired. Could you paste the output of openssl x509 -text -noout -in /etc/puppet/ssl/ca.pem ?
Jeff McCune
On Monday, June 11, 2012 at 12:59 PM, maill...@gmail.com wrote:
:
--You received this message because you are subscribed to the Google Groups "Puppet Users" group.To post to this group, send email to puppet...@googlegroups.com.To unsubscribe from this group, send email to puppet-users...@googlegroups.com.For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
maill...@gmail.com
Jun 11, 2012, 5:10:25 PM6/11/12
to puppet...@googlegroups.com
On Mon, Jun 11, 2012 at 4:50 PM, Jeff McCune <je...@puppetlabs.com> wrote:
> It could be your CA certificate has expired. Could you paste the output of
> openssl x509 -text -noout -in /etc/puppet/ssl/ca.pem ?
>
> --
Thanks, Jeff.
> It could be your CA certificate has expired. Could you paste the output of
> openssl x509 -text -noout -in /etc/puppet/ssl/ca.pem ?
>
> --
Since this is a work cert I'm not gonna post the whole thing, but I
think this is the part we're looking for, correct? If not, I'll
sanitize and post it.
Validity
Not Before: Dec 27 21:38:24 2009 GMT
Not After : Dec 26 21:38:24 2014 GMT
It looks like it doesn't expire until 2014.
I don't understand what would cause this to happen only occasionally
and on one machine. Wouldn't you expect to see it consistently and
across all machines if the cert had expired?
Jeff McCune
Jun 11, 2012, 5:16:06 PM6/11/12
to puppet...@googlegroups.com
Perhaps just re-issue the certificate for that one machine and see if
that fixes the problem?
-Jeff
Reply all
Reply to author
Forward
0 new messages