Uploaded image for project: 'PuppetDB'
  1. PuppetDB
  2. PDB-4513

puppetserver fails to connect to puppetdb 6.6.0

    Details

    • Template:
    • Agent OS:
      CentOS 7
    • Master OS:
      CentOS 7
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      PuppetDB 6.6.0 was released with a restricted set of cipher suites that could prevent connecting to Puppet Server using TLSv1.0 and TLSv1.1. This restores the cipher suites required to connect to Puppet Server on those older TLS versions.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Fresh install with the following components

      puppet-agent-6.9.0-1.el7.x86_64
      puppetserver-6.6.0-1.el7.noarch
      puppetdb-6.6.0-1.el7.noarch
      puppetdb-termini-6.6.0-1.el7.noarch

      puppet server fails to connect to puppetdb and compile a catalog

      # puppet agent -t
      Warning: Unable to fetch my node definition, but the agent run will continue:
      Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for master.localdomain: Failed to find facts from PuppetDB at master.localdomain:8140: Failed to execute '/pdb/query/v4/nodes/master.localdomain/facts' on at least 1 of the following 'server_urls': https://master.localdomain:8081
      Info: Retrieving pluginfacts
      Info: Retrieving plugin
      Info: Retrieving locales
      Info: Loading facts
      Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed to execute '/pdb/cmd/v1?checksum=cff02e6fb7cbf363fd52eac951b5c42e09a0718a&version=5&certname=master.localdomain&command=replace_facts&producer-timestamp=2019-09-25T00:14:42.328Z' on at least 1 of the following 'server_urls': https://master.localdomain:8081
      Warning: Not using cache on failed catalog
      Error: Could not retrieve catalog; skipping run
      

      Workaround

      The workaround is to manually set PuppetDB's cipher-suites setting to the following list

      cipher-suites="SSL_CK_DES_192_EDE3_CBC_WITH_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
      

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                austin.blatt Austin Blatt
                Reporter:
                vchepkov Vadym Chepkov
              • Votes:
                2 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support