Re: [Puppet Users] Re: added puppet CA into the ruby environment

[Keyzer Suze]

Hi

Did that and mucked around some more and broke it :) so did a yum erase and
cleaned out /etc/puppetlabs directory

then reinstalled - got r10k working got yaml working and some other things
- packages

then tried puppetdb, but it keeps failing on ssl test - different this time

this is what i get from s_client
---
No client certificate CA names sent
---
SSL handshake has read 2505 bytes and written 337 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
B5EA0F1FBF08842917D3CC9340411B1482B2535D958FE72FDE0AE9E36E7C4F34
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1573602368
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes


no ciphers !!!


this is my setup
   # Configure puppetdb and its underlying database
   class { 'puppetdb':
     manage_package_repo => false,
     manage_dbserver => false,
     #ssl_protocols => 'TLSv1.1,TLSv1.2',
     ssl_protocols => 'TLSv1.2',
     listen_address => '0.0.0.0',
     manage_firewall => true,
     open_listen_port => true,
     open_ssl_listen_port => true,

     # disable_ssl => true,

   }

   # Configure the Puppet master to use puppetdb
   class { 'puppetdb::master::config':
      # puppetdb_disable_ssl => true,
   }


this is the telling it I think

2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for
InternalSslContextFactory@71c7554f
[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for
InternalSslContextFactory@71c7554f
[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite
TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for
InternalSslContextFactory@71c7554f
[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite
TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for
InternalSslContextFactory@71c7554f
[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite
TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for
InternalSslContextFactory@71c7554f
[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite
TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f
[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite
TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f
[provider=null,keyStore=null,trustStore=null]
2019-11-13T10:47:18.216+11:00 WARN  [o.e.j.u.s.S.config] Weak cipher suite
TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for
InternalSslContextFactory@71c7554f
[provider=null,keyStore=null,trustStore=null]


and this is the jetty.ini
 cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini
[jetty]
# IP address or hostname to listen for clear-text HTTP. To avoid resolution
# issues, IP addresses are recommended over hostnames.
# Default is `localhost`.
# host = <host>
host = 0.0.0.0

# Port to listen on for clear-text HTTP.
port = 8080

# The following are SSL specific settings. They can be configured
# automatically with the tool `puppetdb ssl-setup`, which is normally
# ran during package installation.

# IP address to listen on for HTTPS connections. Hostnames can also be used
# but are not recommended to avoid DNS resolution issues. To listen on all
# interfaces, use `0.0.0.0`.
ssl-host = 0.0.0.0

# The port to listen on for HTTPS connections
ssl-port = 8081

# Private key path
ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem

# Public certificate path
ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem

# Certificate authority path
ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem

# Access logging configuration path. To turn off access logging
# comment out the line with `access-log-config=...`
access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml

cipher-suites =
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
ssl-protocols = TLSv1.2


I'm guessing the ciphers are wrong or there is something wrong with the
cipher setup ?  Maybe It should be a ersa (the certs used for the eliptical
ciphers).  or maybe dh params are missing ?  I'm not sure - i would have
thought puppetdb would work out the box !

also I am using
 java -version
openjdk version "11.0.5" 2019-10-15 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing)

not  jdk8





On Tue, Nov 12, 2019 at 2:06 PM gramsa49 <axton.gr...@gmail.com> wrote:

> Check that the cert used by puppetdb matches the puppet ca.
>
> First the Puppet DB:
>
> root@puppettest1:~# openssl s_client -connect puppet:8140
> CONNECTED(00000005)
> depth=2 CN = Puppet Root CA: ed17137d0debfe
> verify error:num=19:self signed certificate in certificate chain
> ---
> Certificate chain
>  0 s:CN = puppet.x.org
>    i:CN = Puppet CA: puppet.x.org
>  1 s:CN = Puppet CA: puppet.x.org
>    i:CN = Puppet Root CA: ed17137d0debfe
>  2 s:CN = Puppet Root CA: ed17137d0debfe
>    i:CN = Puppet Root CA: ed17137d0debfe
>
> Then the local copy of the Puppet CA cert:
>
> root@puppettest1:~# ll /etc/puppetlabs/puppet/ssl/certs/ca.pem
> -rw-r--r-- 1 root root 3866 Oct 20 22:31 /etc/puppetlabs/puppet/ssl/certs/
> ca.pem
> root@puppettest1:~# openssl x509 -in
> /etc/puppetlabs/puppet/ssl/certs/ca.pem -text -noout
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 2 (0x2)
>         Signature Algorithm: sha256WithRSAEncryption
>         Issuer: CN = Puppet Root CA: ed17137d0debfe
>         Validity
>             Not Before: Oct 17 20:04:48 2019 GMT
>             Not After : Oct 14 20:04:55 2034 GMT
>         Subject: CN = Puppet CA: puppet.x.org
>
> I believe that as long as the certificate used by Puppet DB is issued by
> the Puppet CA, the Puppet Agent will trust the certificate.
>
> Axton
>
> On Sunday, November 10, 2019 at 10:12:03 PM UTC-6, Keyzer Suze wrote:
>>
>> Hi
>>
>> I have just installed a new version of puppet (latest) in to centos 8.
>>
>> when i try and puppet agent --test it fails attempting to connect to
>> puppetdb - unable to verify cert.
>>
>> if i use wget (after i added the puppet ca into the OS root ca bundle) it
>> works
>>
>> where or how to i do the same for ruby ?
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/91467793-a23e-41ec-951f-b3443a1a6b6e%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/91467793-a23e-41ec-951f-b3443a1a6b6e%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CANmbM4EYyNMOg-f5uUdTqxBsetP3-zm6hyynHW5u_TMWjMxFcg%40mail.gmail.com.