Ask Your Question

After upgrade to 3.3.1 (SLES11): Agent receives no certificate from master

asked 2014-04-24 07:51:46 -0500

upietz gravatar image

updated 2014-05-21 05:34:59 -0500

Hey there,

I'm facing this problem on a SLES11 SP3 server with puppet 3.3.1, ruby 1.8.7 and facter 1.7.3. We recently updated from puppet 3.2.4. Neither any certs nor ips nor dns names changed. All runs fail on the client:

Error: Failed to apply catalog: undefined method `extensions' for nil:NilClass
Error: Could not send report: undefined method `extensions' for nil:NilClass

After some debugging, I found that the actual error gets generated in /usr/lib64/ruby/1.8/openssl/ssl-internal.rb:91:in `verifycertificateidentity' where


is called. So to me it seems as if "cert" is nil. Certs are ok, connections with openssl s_client work, hence firewall is also not blocking. I would be glad for any pointers on how to further diagnose this problem!

UPDATE I looked a bit further into it, and the problem really is: the puppet agent doesn't retrieve a cert from the master, although it is configured to use tls. I'm puzzled. Neither logs on the server (apache+passenger) nor on the agent report anything suspicious

Thank you,


edit retag flag offensive close merge delete


What version is running on the master?

ffrank gravatar imageffrank ( 2014-04-24 08:33:09 -0500 )edit

puppet 3.4.3

upietz gravatar imageupietz ( 2014-04-24 09:30:17 -0500 )edit

3 answers

Sort by ยป oldest newest most voted

answered 2014-08-06 23:23:56 -0500

Enzo gravatar image

Try to downgrade the libopenssl then everything should be fine.

I had the same issue after I ran zypper dup to a sles 11 sp3 and the libopenssl098 updated from version libopenssl098-0.9.8j-0.50.1.x8664 to libopenssl098-0.9.8j-0.58.1.x8664 then the nightmare began.

I analyzed the debug log and saw the puppet agent server after updated has changed the cipher from 'Protocol: TLSv1, Cipher: DHE-RSA-CAMELLIA256-SHA (256/256 bits)' to 'Protocol: TLSv1, Cipher: DHE-RSA-CAMELLIA256-SHA (256/256 bits)'. So i guess maybe it's libopenssl's fault.

edit flag offensive delete link more


libopenssl0_9_8-0.9.8j-0.50.1.x86_64 would be ok.

Enzo gravatar imageEnzo ( 2014-08-06 23:25:06 -0500 )edit

answered 2014-08-07 03:43:13 -0500

janos gravatar image

Colleague found the solution: Different versions of openssl lead to different ciphersuites. If not forced, the puppet-client chooses the ciphersuite. Now, what happenend after an update of openssl is that some ciphersuites are not supported anymore, but chosen by the puppet client. This way the ssl handshake is not working.

Solution: Change your vhost configuration of the puppet-server, e.g. under /etc/apache2/conf.d/puppet.conf, and make clear that the server defines the ciphersuite. SSLHonorCipherOrder on SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

edit flag offensive delete link more

answered 2014-05-21 06:58:49 -0500

upietz gravatar image

After reading some packets we finally found the problem:

The agent and the master couldn't agree on a cipher to use. Looks like our apache ssl config was so special that puppet 3.3.1 couldn't deal with it... although openssl version didn't change during the upgrade. Whatever.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-04-24 07:51:46 -0500

Seen: 681 times

Last updated: May 21 '14