Hi Did that and mucked around some more and broke it :) so did a yum erase and cleaned out /etc/puppetlabs directory
then reinstalled - got r10k working got yaml working and some other things - packages then tried puppetdb, but it keeps failing on ssl test - different this time this is what i get from s_client --- No client certificate CA names sent --- SSL handshake has read 2505 bytes and written 337 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: B5EA0F1FBF08842917D3CC9340411B1482B2535D958FE72FDE0AE9E36E7C4F34 Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1573602368 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes no ciphers !!! this is my setup # Configure puppetdb and its underlying database class { 'puppetdb': manage_package_repo => false, manage_dbserver => false, #ssl_protocols => 'TLSv1.1,TLSv1.2', ssl_protocols => 'TLSv1.2', listen_address => '0.0.0.0', manage_firewall => true, open_listen_port => true, open_ssl_listen_port => true, # disable_ssl => true, } # Configure the Puppet master to use puppetdb class { 'puppetdb::master::config': # puppetdb_disable_ssl => true, } this is the telling it I think 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f [provider=null,keyStore=null,trustStore=null] 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@71c7554f [provider=null,keyStore=null,trustStore=null] 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f [provider=null,keyStore=null,trustStore=null] 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@71c7554f [provider=null,keyStore=null,trustStore=null] 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@71c7554f [provider=null,keyStore=null,trustStore=null] 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f [provider=null,keyStore=null,trustStore=null] 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@71c7554f [provider=null,keyStore=null,trustStore=null] 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for InternalSslContextFactory@71c7554f [provider=null,keyStore=null,trustStore=null] and this is the jetty.ini cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini [jetty] # IP address or hostname to listen for clear-text HTTP. To avoid resolution # issues, IP addresses are recommended over hostnames. # Default is `localhost`. # host = <host> host = 0.0.0.0 # Port to listen on for clear-text HTTP. port = 8080 # The following are SSL specific settings. They can be configured # automatically with the tool `puppetdb ssl-setup`, which is normally # ran during package installation. # IP address to listen on for HTTPS connections. Hostnames can also be used # but are not recommended to avoid DNS resolution issues. To listen on all # interfaces, use `0.0.0.0`. ssl-host = 0.0.0.0 # The port to listen on for HTTPS connections ssl-port = 8081 # Private key path ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem # Public certificate path ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem # Certificate authority path ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem # Access logging configuration path. To turn off access logging # comment out the line with `access-log-config=...` access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml cipher-suites = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" ssl-protocols = TLSv1.2 I'm guessing the ciphers are wrong or there is something wrong with the cipher setup ? Maybe It should be a ersa (the certs used for the eliptical ciphers). or maybe dh params are missing ? I'm not sure - i would have thought puppetdb would work out the box ! also I am using java -version openjdk version "11.0.5" 2019-10-15 LTS OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing) not jdk8 On Tue, Nov 12, 2019 at 2:06 PM gramsa49 <axton.gr...@gmail.com> wrote: > Check that the cert used by puppetdb matches the puppet ca. > > First the Puppet DB: > > root@puppettest1:~# openssl s_client -connect puppet:8140 > CONNECTED(00000005) > depth=2 CN = Puppet Root CA: ed17137d0debfe > verify error:num=19:self signed certificate in certificate chain > --- > Certificate chain > 0 s:CN = puppet.x.org > i:CN = Puppet CA: puppet.x.org > 1 s:CN = Puppet CA: puppet.x.org > i:CN = Puppet Root CA: ed17137d0debfe > 2 s:CN = Puppet Root CA: ed17137d0debfe > i:CN = Puppet Root CA: ed17137d0debfe > > Then the local copy of the Puppet CA cert: > > root@puppettest1:~# ll /etc/puppetlabs/puppet/ssl/certs/ca.pem > -rw-r--r-- 1 root root 3866 Oct 20 22:31 /etc/puppetlabs/puppet/ssl/certs/ > ca.pem > root@puppettest1:~# openssl x509 -in > /etc/puppetlabs/puppet/ssl/certs/ca.pem -text -noout > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 2 (0x2) > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN = Puppet Root CA: ed17137d0debfe > Validity > Not Before: Oct 17 20:04:48 2019 GMT > Not After : Oct 14 20:04:55 2034 GMT > Subject: CN = Puppet CA: puppet.x.org > > I believe that as long as the certificate used by Puppet DB is issued by > the Puppet CA, the Puppet Agent will trust the certificate. > > Axton > > On Sunday, November 10, 2019 at 10:12:03 PM UTC-6, Keyzer Suze wrote: >> >> Hi >> >> I have just installed a new version of puppet (latest) in to centos 8. >> >> when i try and puppet agent --test it fails attempting to connect to >> puppetdb - unable to verify cert. >> >> if i use wget (after i added the puppet ca into the OS root ca bundle) it >> works >> >> where or how to i do the same for ruby ? >> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/91467793-a23e-41ec-951f-b3443a1a6b6e%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/91467793-a23e-41ec-951f-b3443a1a6b6e%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CANmbM4EYyNMOg-f5uUdTqxBsetP3-zm6hyynHW5u_TMWjMxFcg%40mail.gmail.com.