The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #14067

err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert protocol version

Added by Thomas Bétrancourt about 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:04/18/2012
Priority:HighDue date:
Assignee:-% Done:


Target version:-
Affected Puppet version:2.7.13 Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:


I have a puppet server (CentOS 6.2 / puppet opensource 2.7.13) : I have a puppet client (CentOS 6.2 / puppet opensource 2.7.13) : : this client is syncing fine with the server

On, i’ve a virtual machine with CentOS 6.2 / puppet opensource 2.7.13 too. When i’m trying to sync this machine with the puppet server, i’m getting the above error (title of isssue).

I’m using the openssl command openssl s_client -host puppet -port 8140 -cert /var/lib/puppet/ssl/certs/$(hostname -f).pem -key /var/lib/puppet/ssl/private_keys/$(hostname -f).pem -CAfile /var/lib/puppet/ssl/certs/ca.pem which confirms the issue.

On the server, the certificate is nicely generated. The server is configured to auto-sign cert requests.

openssl_verify_puppet.txt Magnifier (3.63 KB) Thomas Bétrancourt, 04/18/2012 12:18 pm


#1 Updated by Thomas Bétrancourt about 4 years ago

In the attachment, the output of the openssl command.

#2 Updated by Anonymous about 4 years ago

  • Status changed from Unreviewed to Needs More Information

This isn’t a Puppet problem, so much as an OpenSSL problem. Your client presumably isn’t advertising TLSv1, but the server will only accept it.

Puppet doesn’t change the default configuration, which should normally default to allowing TLS, but perhaps not on your system. In any case, relaxing the server to accept SSLv3 will resolve your issue.

#3 Updated by Thomas Bétrancourt about 4 years ago


I was using Webrick. When i set up the passenger module with apache2, i’ve defined ssl parameters to accept SSLv3 and TLSv1.

All is fine now…

In my mind, the ticket can be closed. Sorry, and thanks for the support

#4 Updated by James Turnbull about 4 years ago

  • Status changed from Needs More Information to Closed

Also available in: Atom PDF