The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #14067

err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol version

Added by Thomas Bétrancourt over 2 years ago. Updated over 2 years ago.

Status:ClosedStart date:04/18/2012
Priority:HighDue date:
Assignee:-% Done:

0%

Category:SSL
Target version:-
Affected Puppet version:2.7.13 Branch:
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

I have a puppet server (CentOS 6.2 / puppet opensource 2.7.13) : medion.chatillon.betrancourt.net I have a puppet client (CentOS 6.2 / puppet opensource 2.7.13) : thomas.test.betrancourt.net : this client is syncing fine with the server

On thomas.test.betrancourt.net, i’ve a virtual machine with CentOS 6.2 / puppet opensource 2.7.13 too. When i’m trying to sync this machine with the puppet server, i’m getting the above error (title of isssue).

I’m using the openssl command openssl s_client -host puppet -port 8140 -cert /var/lib/puppet/ssl/certs/$(hostname -f).pem -key /var/lib/puppet/ssl/private_keys/$(hostname -f).pem -CAfile /var/lib/puppet/ssl/certs/ca.pem which confirms the issue.

On the server, the certificate is nicely generated. The server is configured to auto-sign cert requests.

openssl_verify_puppet.txt Magnifier (3.63 KB) Thomas Bétrancourt, 04/18/2012 12:18 pm

History

#1 Updated by Thomas Bétrancourt over 2 years ago

In the attachment, the output of the openssl command.

#2 Updated by Anonymous over 2 years ago

  • Status changed from Unreviewed to Needs More Information

This isn’t a Puppet problem, so much as an OpenSSL problem. Your client presumably isn’t advertising TLSv1, but the server will only accept it.

Puppet doesn’t change the default configuration, which should normally default to allowing TLS, but perhaps not on your system. In any case, relaxing the server to accept SSLv3 will resolve your issue.

#3 Updated by Thomas Bétrancourt over 2 years ago

Right.

I was using Webrick. When i set up the passenger module with apache2, i’ve defined ssl parameters to accept SSLv3 and TLSv1.

All is fine now…

In my mind, the ticket can be closed. Sorry, and thanks for the support

#4 Updated by James Turnbull over 2 years ago

  • Status changed from Needs More Information to Closed

Also available in: Atom PDF