So this seems to be a regression in openssl-1.0.1e-15.el6.x86_64. The reason why this works for JDK 7, is because we've had issues with the ECC based ciphers in the past, and had to pin JDK 7 to non-ECC ciphers.
However we had the anticipation that this might be something that would come back, so we provided a configuration option to override this. Alas, the solution without downgrading openssl or upgrading to JDK 7 is to add the following line to your jetty.ini: cipher-suites = TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5 ... and then restart your puppetdb instance. We're looking into a permanent solution now. Of course, upgrade to JDK 7 is a good idea regardless, so I would recommend that first. In the very near future we are looking to deprecate JDK 6 anyway, so better to move now rather then later. ken. On Thu, Nov 28, 2013 at 4:04 PM, Ken Barber <[email protected]> wrote: > Okay, so this problem seems prolific now. Would you mind raising a > redmine ticket on this? > > http://projects.puppetlabs.com/projects/puppetdb > > > On Thu, Nov 28, 2013 at 3:59 PM, Matthias Saou <[email protected]> wrote: >> On Wed, 27 Nov 2013 09:48:52 -0700 >> Deepak Giridharagopal <[email protected]> wrote: >> >>> On Nov 27, 2013, at 9:11 AM, Jonathan Gazeley >>> <[email protected]> wrote: >>> >>> > Hmm, well I removed java-1.6.0-openjdk and installed >>> > java-1.7.0-openjdk. Reinstalled puppetdb, which pulled >>> > java-1.6.0-openjdk back in again, so the two javas were installed >>> > simultaneously. Restarted puppetdb and puppetmaster and everything >>> > works again.... I have no idea what was wrong. >>> >>> Hmm, pulling in an older version jdk despite the presence of a newer >>> one smells like a bug to me...can you file one against PuppetDB? >>> >>> We're touching that code right now, as we're actually in the process >>> of deprecating use of JDK 1.6 with PuppetDB. So the upgrade situation >>> you describe is something we should try and test. >> >> FWIW, I just did a "yum update" on a RHEL 6 puppet master, which got >> all updates from RHEL 6.5, and I started seeing failed puppet runs with >> the exact same symptoms. >> >> This is initially with puppet 3.3.2 and puppetdb 1.4.0. >> >> Restarting the services didn't help. Rebooting the server to make sure >> all new system libs were used didn't help either. >> Updating to puppetdb 1.5.2 and running /usr/sbin/puppetdb-ssl-setup -f >> didn't help (still the exact same message). >> >> But this fixed it : >> >> yum install java-1.7.0-openjdk.x86_64 >> service puppetdb restart >> >> Previously, I had only java-1.6.0-openjdk installed, and it had been >> updated. I'm guessing the update broke something related to SSL. After >> installing 1.7.0, alternatives automatically updated all java related >> paths to make 1.7.0 the default, and puppetdb seems to work fine with >> it. >> >> So if you're running PuppetDB on RHEL (or any clone), then make sure >> you have the right version of Java available for it. >> >> Matthias >> >> -- >> Matthias Saou ██ ██ >> ██ ██ >> Web: http://matthias.saou.eu/ ██████████████ >> Mail/XMPP: [email protected] ████ ██████ ████ >> ██████████████████████ >> GPG: 4096R/E755CC63 ██ ██████████████ ██ >> 8D91 7E2E F048 9C9C 46AF ██ ██ ██ ██ >> 21A9 7A51 7B82 E755 CC63 ████ ████ >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/20131128165900.4b11f270%40r2d2.marmotte.net. >> For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTn73JxZduB662QrFCVSdugGCfhkb2kcm-Gu_Tp4y5yKSA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
