Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
PDB 6.6.0, PDB 6.7.0
-
CentOS 7
-
PuppetDB
-
Needs Assessment
-
Bug Fix
-
PuppetDB 6.6.0 was released with a restricted set of cipher suites that could prevent connecting to Puppet Server using TLSv1.0 and TLSv1.1. This restores the cipher suites required to connect to Puppet Server on those older TLS versions.
-
Needs Assessment
Description
Fresh install with the following components
puppet-agent-6.9.0-1.el7.x86_64
puppetserver-6.6.0-1.el7.noarch
puppetdb-6.6.0-1.el7.noarch
puppetdb-termini-6.6.0-1.el7.noarch
puppet server fails to connect to puppetdb and compile a catalog
# puppet agent -t
|
Warning: Unable to fetch my node definition, but the agent run will continue:
|
Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for master.localdomain: Failed to find facts from PuppetDB at master.localdomain:8140: Failed to execute '/pdb/query/v4/nodes/master.localdomain/facts' on at least 1 of the following 'server_urls': https://master.localdomain:8081
|
Info: Retrieving pluginfacts
|
Info: Retrieving plugin
|
Info: Retrieving locales
|
Info: Loading facts
|
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed to execute '/pdb/cmd/v1?checksum=cff02e6fb7cbf363fd52eac951b5c42e09a0718a&version=5&certname=master.localdomain&command=replace_facts&producer-timestamp=2019-09-25T00:14:42.328Z' on at least 1 of the following 'server_urls': https://master.localdomain:8081
|
Warning: Not using cache on failed catalog
|
Error: Could not retrieve catalog; skipping run
|
Workaround
The workaround is to manually set PuppetDB's cipher-suites setting to the following list
cipher-suites="SSL_CK_DES_192_EDE3_CBC_WITH_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
|
Attachments
Issue Links
- causes
-
-
- Resolved
-