Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
-
None
-
-
Agent
-
3
-
Agent 2017-05-31
-
Not Needed
-
We updated a test to account for differences in how ruby 2.4 handles SSL peer verification. No user visible changes.
-
Automate
-
We should see about automating the testing of bad certificates
Description
When running the puppet acceptance test suite with Ruby 2.4.1, one test fails: https://github.com/puppetlabs/puppet/blob/master/acceptance/tests/helpful_error_message_when_hostname_not_match_server_certificate.rb, with the following output:
Test Case tests/helpful_error_message_when_hostname_not_match_server_certificate.rb reported: #<Beaker::DSL::Outcomes::FailTest:
|
Expected Server hostname 'hquif3c5f1yylte\.delivery\.puppetlabs\.net' did not match server certificate; expected one of foobar_not_my_hostname, (.*)$ to match 'Warning: Unable to fetch my node definition, but the agent run will continue:
|
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
|
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
|
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
|
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
|
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
|
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
|
Warning: Not using cache on failed catalog
|
Error: Could not retrieve catalog; skipping run
|
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
|
This appears to be the result of SSL erroring in a different spot than previously; the test expects a specialized error message from post_connection_check (see https://github.com/ruby/ruby/blob/ruby_2_4/ext/openssl/lib/openssl/ssl.rb#L291, called from https://github.com/ruby/ruby/blob/b3209c258eddc093ffdcbf77ee079cdc93f094ae/lib/net/http.rb#L950), but with Ruby 2.4, it appears to be failing two lines earlier, with the error stacktrace pointing to this line: https://github.com/ruby/ruby/blob/ruby_2_4/lib/net/protocol.rb#L44, which calls out to C code.
We need to figure out if the failure is due to a change in Ruby's error checking or a matter of misconfiguration. If the error checking has changed, we may need to update the logic here https://github.com/puppetlabs/puppet/blob/master/lib/puppet/network/http/connection.rb#L226-L234, if possible, to use the new output to still print the helpful error message.