The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #7224

Bad english: hostname was not match with the server certificate

Added by Mike Judge almost 3 years ago. Updated over 1 year ago.

Status:AcceptedStart date:04/24/2011
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:error reporting
Target version:-
Affected Puppet version:2.7.0 Branch:https://github.com/puppetlabs/puppet/pull/907
Keywords:openssl certificates

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket may be automatically exported to the PUP project on JIRA using the button below:


Description

root@gobo:/etc/puppet# puppetd —test err: Could not retrieve catalog from remote server: hostname was not match with the server certificate warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run

Should be something like: 1) “hostname was not a match with the server certificate” 2) “hostname did not match the server certificate” 3) “all your base are belong to us” :)


Related issues

Related to Puppet - Bug #3120: 'localcacert' doesn't behave as described Closed 01/27/2010

History

#1 Updated by James Turnbull almost 3 years ago

  • Status changed from Unreviewed to Needs More Information
  • Assignee set to Nigel Kersten

I have a vague memory you fixed this Nigel?

#2 Updated by Nigel Kersten almost 3 years ago

  • Status changed from Needs More Information to Accepted
  • Assignee deleted (Nigel Kersten)
  • Target version set to 2.7.x

No, I started chasing down rabbit holes, was told there was a better way at a higher level, but couldn’t figure it out cleanly.

This will be in the backlog for next iteration.

#3 Updated by Brice Figureau almost 3 years ago

To my knowledge this is an exception message coming directly from the ruby openssl exception. Rewriting it would require catching the exact same exception, and rethrow it again with a different message… This look clumsy to me, especially to locate where the exception should be caught…

#4 Updated by Nick Lewis almost 3 years ago

  • Status changed from Accepted to Merged - Pending Release

Fixed in commit:6ae3538a58eaa116762141759a88e0e9ad964ebb in 2.7.x.

The error message will now specify what the hostname was, and what the certname and certdnsnames allowed/expected were.

#5 Updated by Michael Stahnke almost 3 years ago

  • Assignee set to Nick Lewis
  • Keywords set to openssl certificates

#6 Updated by Jacob Helwig almost 3 years ago

  • Target version changed from 2.7.x to 2.7.1

#7 Updated by Michael Stahnke almost 3 years ago

  • Status changed from Merged - Pending Release to Closed
  • Target version changed from 2.7.1 to 2.7.0

This is available in the 2.7 series.

#8 Updated by Jeff McCune almost 2 years ago

  • Status changed from Closed to Re-opened
  • Assignee deleted (Nick Lewis)
  • Target version deleted (2.7.0)

Re-opening

I’m re-opening this because I discovered we got the implementation slightly wrong.

While investigating #3120 I discovered we’re picking the wrong certificate when displaying the more helpful error message. This results in this message being displayed:

err: Could not retrieve catalog from remote server: Server hostname 'maynard' did not match server certificate; expected jeff mccune root authority/c=us/st=oregon/l=portland/o=puppet labs/ou=jeff mccune/emailaddress=jeff@puppetlabs.com

As you can see the list of “expected names” appears to be the full subject of a CA certificate, not a list of valid DNS names from a SSL Server certificate.

This error is caused by this logic: https://github.com/puppetlabs/puppet/commit/99330fa5#L2R97

I’m re-opening this as a Yak to shave once I finish my investigation of #3120 as part of the support goalie work this week.

#9 Updated by Jeff McCune almost 2 years ago

  • Category set to SSL
  • Target version set to 2.7.x
  • Affected Puppet version set to 2.7.0

#10 Updated by Jeff McCune almost 2 years ago

Suggested Fix

Before I context switch back to #3120 here’s my suggested fix:

When using a CA chain rather than a single self signed CA, peer_certs will be an ordered array. The SSL server certificate should be the last item in the array (this needs to be verified that this will always be the case).

If the SSL server certificate is always the last item in the peer certificate list then simply grab it:

1.8.7 :001 > pp peer_certs
[#<Puppet::SSL::Certificate:0x10c9de678
  @content=
   #<OpenSSL::X509::Certificate subject=/CN=Jeff McCune Root Authority/C=US/ST=Oregon/L=Portland/O=Puppet Labs/OU=Jeff McCune/emailAddress=jeff@puppetlabs.com, issuer=/CN=Jeff McCune Root Authority/C=US/ST=Oregon/L=Portland/O=Puppet Labs/OU=Jeff McCune/emailAddress=jeff@puppetlabs.com, serial=14758815617093903059, not_before=Thu Jul 05 17:47:47 UTC 2012, not_after=Mon Jun 29 17:47:47 UTC 2037>,
  @name=
   "jeff mccune root authority/c=us/st=oregon/l=portland/o=puppet labs/ou=jeff mccune/emailaddress=jeff@puppetlabs.com">,
 #<Puppet::SSL::Certificate:0x10c9de3d0
  @content=
   #<OpenSSL::X509::Certificate subject=/C=US/ST=Oregon/O=Puppet Labs/OU=Jeff McCune/CN=Jeff McCune Signing Authority/emailAddress=jeff@puppetlabs.com, issuer=/CN=Jeff McCune Root Authority/C=US/ST=Oregon/L=Portland/O=Puppet Labs/OU=Jeff McCune/emailAddress=jeff@puppetlabs.com, serial=1, not_before=Thu Jul 05 17:53:57 UTC 2012, not_after=Tue Jul 04 17:53:57 UTC 2017>,
  @name=
   "/c=us/st=oregon/o=puppet labs/ou=jeff mccunejeff mccune signing authority/emailaddress=jeff@puppetlabs.com">,
 #<Puppet::SSL::Certificate:0x10c9de0b0
  @content=
   #<OpenSSL::X509::Certificate subject=/C=US/ST=Oregon/O=Puppet Labs/OU=Jeff McCune/CN=Puppet CA maynard2.localdomain/emailAddress=jeff@puppetlabs.com, issuer=/C=US/ST=Oregon/O=Puppet Labs/OU=Jeff McCune/CN=Jeff McCune Signing Authority/emailAddress=jeff@puppetlabs.com, serial=2, not_before=Thu Jul 05 17:59:01 UTC 2012, not_after=Tue Jul 04 17:59:01 UTC 2017>,
  @name=
   "/c=us/st=oregon/o=puppet labs/ou=jeff mccunepuppet ca maynard2.localdomain/emailaddress=jeff@puppetlabs.com">,
 #<Puppet::SSL::Certificate:0x10c9ddd18
  @content=
   #<OpenSSL::X509::Certificate subject=/CN=maynard2, issuer=/C=US/ST=Oregon/O=Puppet Labs/OU=Jeff McCune/CN=Puppet CA maynard2.localdomain/emailAddress=jeff@puppetlabs.com, serial=3, not_before=Wed Jul 04 19:04:49 UTC 2012, not_after=Tue Jul 04 19:04:49 UTC 2017>,
  @name="maynard2">]

#11 Updated by Jeff McCune almost 2 years ago

  • Status changed from Re-opened to In Topic Branch Pending Review
  • Branch set to https://github.com/puppetlabs/puppet/pull/907

Fixed for chained certificates

One line fix with much more work in the spec tests.

https://github.com/puppetlabs/puppet/pull/907

#12 Updated by Daniel Pittman over 1 year ago

  • Status changed from In Topic Branch Pending Review to Tests Insufficient

Tests fail for me after hand-merging the code:

⚡ rspec spec/unit/indirector/rest_spec.rb 
  1) Puppet::Indirector::REST when making http requests when verification fails with a CA chain Certificate Chain: peer_cert_one_self_signed_ca.pem should provide a helpful error message when hostname was not match with server certificate
     Failure/Error: expect { @searcher.http_request(:get, stub('request')) }.to(
       expected Puppet::Error with message matching /Server hostname 'my_server' did not match server certificate; expected one of (.+)/, got #>
     # ./spec/unit/indirector/rest_spec.rb:146:in `expect_helpful_error'
     # ./spec/unit/indirector/rest_spec.rb:136

  2) Puppet::Indirector::REST when making http requests when verification fails with a CA chain Certificate Chain: peer_cert_three_ca_chain.pem should provide a helpful error message when hostname was not match with server certificate
     Failure/Error: expect { @searcher.http_request(:get, stub('request')) }.to(
       expected Puppet::Error with message matching /Server hostname 'my_server' did not match server certificate; expected one of (.+)/, got #
     # ./spec/unit/indirector/rest_spec.rb:146:in `expect_helpful_error'
     # ./spec/unit/indirector/rest_spec.rb:136

  101/101:     100% |==========================================| Time: 00:00:00

Finished in 0.75071 seconds
101 examples, 2 failures

#13 Updated by Jeff McCune over 1 year ago

  • Status changed from Tests Insufficient to Accepted

Next actions

Rebase the pull request at https://github.com/puppetlabs/puppet/pull/907 against master and resubmit.

Putting this back to accepted in case someone else gets to this.

-Jeff

#14 Updated by Jeff McCune over 1 year ago

  • Category changed from SSL to error reporting
  • Target version deleted (2.7.x)

Also available in: Atom PDF