Ask Your Question
0

java puppetserver 1.0 CA not working

asked 2015-01-14 14:57:07 -0500

lorcutt gravatar image

updated 2015-01-21 13:57:19 -0500

Hi - I'm doing some testing with the new java based puppetserver 1.0. I stood up a puppetmaster using it and it is able to serve content to itself. Now when I try to connect a client to it I seem to have issues with the CA functionality.

Both server and client are running RHEL6.

The puppet server has ca enabled in bootstrap.cfg:

puppetlabs.services.ca.certificate-authority-service/certificate-authority-service

On the client, I installed puppet 3.7.3, rm'd all contents from /var/lib/puppet/ssl for a fresh start, and have puppet.conf ca_server and server entries pointing to the new java based server. When I do a puppet agent run I get:

Error: Could not request certificate: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A

The server does not show anything with "puppet cert list".

On the client, running "openssl s_client -connect <servername>:8140" shows a few lines of concern:

depth=0 CN = <servername>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = <servername>
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = <servername>
verify error:num=21:unable to verify the first certificate
verify return:1
140623348819784:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
Certificate chain
 0 s:/CN=<servername>
   i:/CN=Puppet CA: <servername>
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
...
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 54B6D146C3D603F7EE01450645D6F46087F86D342D047A1C44D8055B93F1EB6F
    Session-ID-ctx:
    Master-Key: F10698FE583BB77FE5E43A51097C65B239FEAE201DA3414AFC0B955F15645D627FC7D28AFB7C3569F18AD0C3C4
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1421267269
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

Setting the log level to DEBUG as requested below, I see the following in /var/log/puppetserver/puppetserver.log:

.....
    2015-01-20 15:26:38,859 DEBUG [o.e.j.i.s.SslConnection] SslConnection@186b90e0{NEED_WRAP,eio=614/-1,di=-1} -> HttpConnection@2ee666de{FILLING} fill exit
    2015-01-20 15:26:38,860 DEBUG [o.e.j.s.HttpConnection]
    javax.net.ssl.SSLHandshakeException: null cert chain
            at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290) ~[na:1.7.0_65]
            at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513) ~[na:1.7.0_65]
            at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:793) ~[na:1.7.0_65]
            at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:761) ~[na:1.7.0_65]
            at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[na:1.7.0_65]
            at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:503) ~[puppet-server-release.jar:na]
            at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:215) ~[puppet-server-release.jar:na]
            at org.eclipse.jetty.io.AbstractConnection$1.run(AbstractConnection.java:505) [puppet-server-release.jar:na]
            at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607) [puppet-server-release.jar:na]
            at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536) [puppet-server-release.jar:na]
            at java.lang.Thread.run(Thread.java:745) [na:1.7.0_65]
    Caused by: javax.net.ssl.SSLHandshakeException: null cert chain
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192 ...
(more)
edit retag flag offensive close merge delete

Comments

After the puppet agent run on your client, has a '/var/lib/puppet/ssl/certs/ca.pem' file been created? If not, I'd wonder if the initial SSL connection were failing due to a firewall or selinux being enabled. Would be interesting, then, to see if disabling those would help.

camlow325 gravatar imagecamlow325 ( 2015-01-15 00:56:46 -0500 )edit

If the "ca.pem" file has been created on the client, would be interesting to see what an "openssl s_client -connect <servername>:8140 -CAfile /var/lib/puppet/ssl/certs/ca.pem" run from the client would return.

camlow325 gravatar imagecamlow325 ( 2015-01-15 00:58:42 -0500 )edit

If the connection is being rejected by the Jetty server, you might be able to get more specific details from the "/var/log/puppetserver/puppetserver.log" file if you bump the jetty logger level in "/etc/puppetserver/logback.xml" to "DEBUG", "service puppetserver restart", and try another agent run.

camlow325 gravatar imagecamlow325 ( 2015-01-15 01:06:30 -0500 )edit

/var/lib/puppet/ssl/certs/ca.pem exists on the server. It works as a client to itself.

lorcutt gravatar imagelorcutt ( 2015-01-20 09:23:01 -0500 )edit

The openssl command gives basically the same output as already shown, expect that it starts with "140595356186440:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('/var/lib/puppet/ssl/certs/ca.pem','r')

lorcutt gravatar imagelorcutt ( 2015-01-20 09:24:44 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-01-27 12:12:12 -0500

lorcutt gravatar image

camlow325 provided the answer. The "client-auth" setting in /etc/puppetserver/conf.d/webserver.conf was set to "need", the correct setting was "want".

camlow325 - if you update your post to an answer I will mark it correct and remove this answer.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-01-14 14:57:07 -0500

Seen: 490 times

Last updated: Jan 27 '15