Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7503

helpful_error_message_when_hostname_not_match_server_certificate test fails with Ruby 2.4

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 5.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      Hide

      Puppet continues to print a helpful error message when the configured hostname does not match the server certificate.

      Show
      Puppet continues to print a helpful error message when the configured hostname does not match the server certificate.
    • Team:
      Agent
    • Story Points:
      3
    • Sprint:
      Agent 2017-05-31
    • Release Notes:
      Not Needed
    • Release Notes Summary:
      We updated a test to account for differences in how ruby 2.4 handles SSL peer verification. No user visible changes.
    • QA Risk Assessment:
      Automate
    • QA Risk Assessment Reason:
      We should see about automating the testing of bad certificates

      Description

      When running the puppet acceptance test suite with Ruby 2.4.1, one test fails: https://github.com/puppetlabs/puppet/blob/master/acceptance/tests/helpful_error_message_when_hostname_not_match_server_certificate.rb, with the following output:

       Test Case tests/helpful_error_message_when_hostname_not_match_server_certificate.rb reported: #<Beaker::DSL::Outcomes::FailTest:
      Expected Server hostname 'hquif3c5f1yylte\.delivery\.puppetlabs\.net' did not match server certificate; expected one of foobar_not_my_hostname, (.*)$ to match 'Warning: Unable to fetch my node definition, but the agent run will continue:
      Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
      Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
      Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
      Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
      Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
      Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
      Warning: Not using cache on failed catalog
      Error: Could not retrieve catalog; skipping run
      Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=foobar_not_my_hostname]
      

      This appears to be the result of SSL erroring in a different spot than previously; the test expects a specialized error message from post_connection_check (see https://github.com/ruby/ruby/blob/ruby_2_4/ext/openssl/lib/openssl/ssl.rb#L291, called from https://github.com/ruby/ruby/blob/b3209c258eddc093ffdcbf77ee079cdc93f094ae/lib/net/http.rb#L950), but with Ruby 2.4, it appears to be failing two lines earlier, with the error stacktrace pointing to this line: https://github.com/ruby/ruby/blob/ruby_2_4/lib/net/protocol.rb#L44, which calls out to C code.

      We need to figure out if the failure is due to a change in Ruby's error checking or a matter of misconfiguration. If the error checking has changed, we may need to update the logic here https://github.com/puppetlabs/puppet/blob/master/lib/puppet/network/http/connection.rb#L226-L234, if possible, to use the new output to still print the helpful error message.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              qa qa
              Reporter:
              maggie Maggie Dreyer
              QA Contact:
              Eric Delaney Eric Delaney
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support