Bug#924005: client certificate verification regression with puppetdb
Control: severity -1 normal On Fri, 8 Mar 2019 09:59:14 +0100 "=?UTF-8?Q?Stefan_B=c3=bchler?=" wrote: > Package: jetty9 > Version: 9.4.15-1 > Severity: important > > Hi. > > The update (libjetty9-java and libjetty9-extra-java) to 9.4.15-1 broke > our puppetdb setup; a downgrade to 9.4.14-1 fixes the issue. > > I can't see any (new/useful/related) error message in the puppetdb log. > > The error message from our puppetmaster is: > > Error connecting to puppet-db.XXX on 8081 at route /pdb/cmd/v1?..., error message received was 'SSL_connect returned=1 errno=0 state=error: sslv3 alert certificate unknown'. Failing over to the next PuppetDB server_url in the 'server_urls' list [...] As Manfred Stock in this bug report has already mentioned, the breakage was caused by a change in Jetty 9.4.15 which disabled Endpoint Identification by default and the switch to HTTPS. This apparently caused a problem with Puppet. To me it seems this is merely a configuration problem on the Puppet side and a workaround exists. I leave this bug report open for future reference but I feel there is nothing what we can do to improve the situation in Buster from the Jetty point of view. Markus signature.asc Description: This is a digitally signed message part
Bug#924005: client certificate verification regression with puppetdb
Source: jetty9 Followup-For: Bug #924005 Hi, I noticed that I also have this problem and managed to solve it by patching the libtrapperkeeper-webserver-jetty9-clojure package with a commit [1] from a branch that was recently merged into the upstream trapperkeeper-webserver-jetty9-clojure repo. In the meantime, I've created a bug report against libtrapperkeeper-webserver-jetty9-clojure [2] with a patch that includes this upstream patch. Kind regards Manfred [1] https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/9db4170381e07165078e544340e12b38676c2613 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930562 -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8), LANGUAGE=de_CH:de (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect