Ubuntu
puppet package

puppet agent can't obtain catalogs

Bug #986649 reported by PeterNSteinmetz
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet (Ubuntu)
Expired
Low
Unassigned

Bug Description

For puppet 2.7.1-1ubuntu3.5~maverick1 running on maverick server, the agent fails to be able to obtain catalogs from the puppetmaster, due to a failure to validate the ca certificate.

This is a dangerous bug as it appears when following the instructions in the server guide for installing puppet and is just silent, in the sense that there is nothing normally in the logs. It only appear if one checks whether the changes are being propagated or runs the puppet agent with a command like:

sudo puppetd agent --no-daemonize --verbose --debug

which will show something like:

err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert bad certificate
notice: Using cached catalog
err: Could not retrieve catalog; skipping run

after retrieving the signed ca certificate.

It is NOT due to a problem with time syncing, as can be verified by checking the validity time of the certificate with a command like:

sudo openssl x509 -text -noout -in /etc/puppet/ssl/certs/ca.pem

and ensuring that the not before time lies in the future.

It is likely due to an inability of the ruby puppet application to properly verify the ca certificate. See for example this now closed bug at puppetlabs:

http://projects.puppetlabs.com/issues/14067

This page contains a fair amount of useful information about puppet's use of certificates:
http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security

Tags: puppet server
Micah Gersten (micahg)
no longer affects: maverick-backports
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Maverick was end of lifed on April 10, 2012, but the same upstream version is being used on Lucid, Natty and Oneiric. Could you please check to see if this bug exists in the current stable release (Oneiric)?

And which version of puppetmaster are you running?

Thanks!

Changed in puppet (Ubuntu):
status: New → Incomplete
Revision history for this message
Robie Basak (racb) wrote :

I wonder is this is related to https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2012-April/013591.html and bug 965371 or 986147?

Peter, in addition to the version of puppet and puppetmaster, could you also please report the version of openssl on both client and server?

James Page (james-page)
Changed in puppet (Ubuntu):
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for puppet (Ubuntu) because there has been no activity for 60 days.]

Changed in puppet (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.