Ask Your Question
1

SSL_connect issues after patching Debian SSL packages

asked 2014-05-30 04:09:45 -0500

Paul Shore gravatar image

I have a puppetlabs master (3.6.1-1) installed on a Debian 7 VMware VM server with Debian 6/7 clients (the clients are using the puppet that is bundled with Debian).

Some of my clients are having the following error some of the time:

err: Could not retrieve catalog from remote server: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server session ticket A

warning: Not using cache on failed catalog

This all started when I patched all the boxes for the SSL issue and I haven't been able to fix it.

Its not all the time and its not older Debian 6 boxes either. Its random across boxes some Debian 6 are OK, some are failing. Some Debian 7 are OK, some are failing. Some physical boxes are OK, some are failing. Some VMs are OK, some are failing. I could understand if the boxes where built differently, but they built using puppet!

I have tried the following and it hasn't helped:

Upgrading client to puppetlabs package instead of the Debian 6/7 packages. Revoking client cert on server and removing /var/lib/puppet/ssl. Removing all server packages and recreating server including all SSL certs. Confirming NTP server for puppet server and client is the same box (rebooting both failing client and server too) Trying the Web brick server instead of apache/passenger Upgrading passenger to latest version and compiling

Any suggestions on sorting this problem would be appreciated.

Thanks

Paul

edit retag flag offensive close merge delete

Comments

Did you check if the time between master and clients are synchronized?

Renan Vicente gravatar imageRenan Vicente ( 2014-05-30 07:51:44 -0500 )edit

As mentioned above, both puppet master and client have the same time NTP server and are in sync.

Paul Shore gravatar imagePaul Shore ( 2014-05-30 07:59:12 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2014-06-11 08:34:07 -0500

Paul Shore gravatar image

OK, I have found the problem that was causing this issue and it wasn't the SSL packages or puppet, it was the network MTU was incorrect on some of the boxes.

The MTU was being manually dropping to 1492 for a VLAN environment and it hadn't been reduced on some of the boxes. The patched SSL package just made the packets between client and server slightly bigger which caused issues with the MTU limit occasionally. Having dropped the MTU on the failing boxes to 1492 the issue has gone away.

Guess the solution here should have been to use puppet to drop the MTU size!

edit flag offensive delete link more

Comments

I set my switch jumbo frame on cisco 3750x mtu 9000. Puppet agent report error Could not send report: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server session ticket A

georce gravatar imagegeorce ( 2015-09-23 00:08:03 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2014-05-30 04:09:45 -0500

Seen: 469 times

Last updated: Jun 11 '14