Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8213

Error message for certificate name mismatch is clear as mud

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • PUP 5.3.3
    • PUP 6.4.2
    • None
    • Normal
    • 3 - 25-50% of Customers
    • 2 - Annoyance
    • 2 - $$$
    • Hide
      Making any error messages more useful is always encouraged.
      These errors are common and just feel like we know it, but we need a better error message.
      Show
      Making any error messages more useful is always encouraged. These errors are common and just feel like we know it, but we need a better error message.
    • Bug Fix
    • Hide
      Puppet agents printed a cryptic error message when connecting to an SSL server whose certificate did not match the hostname the agent tried to connect to. This was a regression when running on ruby 2.4 or later, due to differences in how ruby reports the mismatched certificate. Puppet has been updated so it prints the expected error message.
      Show
      Puppet agents printed a cryptic error message when connecting to an SSL server whose certificate did not match the hostname the agent tried to connect to. This was a regression when running on ruby 2.4 or later, due to differences in how ruby reports the mismatched certificate. Puppet has been updated so it prints the expected error message.
    • Needs Assessment

    Description

      A common error in enterprise environments is a mismatch between the server setting on the agent and the common name of the master's cert / its dns alt names.

      Today, if this situation occurs the error message the agent prints is as clear as mud. For example:

      # You can't tell, but for this run server=master.tld
      		 
      # 
      [root@aws-1 ssl]# puppet agent -t
      		 
      Warning: Unable to fetch my node definition, but the agent run will continue:
      		 
      Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=master-1.tld]
      		 
      Info: Retrieving pluginfacts
      		 
      Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=master-1.tld]
      		 
      ...

      This error message is INCREDIBLY unhelpful. There's kinda-sorta a reference to the master's certificate being master-1.tld, but you can't see in the message that the configured server is master.tld. There's also no reference to other valid alt names.

      What we want:

      The error message should clearly state something along the lines of

      Error: Unable to validate server certificate. Expected "master.tld":
      		 
        server certificate common name "master-1.tld" does not match
      		 
        server certificate alt name "puppet" does not match
      		 
        server certificate alt name "master" does not match
      		 
        server certificate alt name "master-alt.tld" does not match

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PUP-9649 Backport certname mismatch to 5.5.x and 6.0.x (PUP-8213)

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. PUP-7503 helpful_error_message_when_hostname_not_match_server_certificate test fails with Ruby 2.4

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Activity

            People

              josh Josh Cooper
              reid Reid Vandewiele
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support