Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8213

Error message for certificate name mismatch is clear as mud

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 5.3.3
    • Fix Version/s: PUP 6.4.2
    • Component/s: None
    • CS Priority:
      Normal
    • CS Frequency:
      3 - 25-50% of Customers
    • CS Severity:
      2 - Annoyance
    • CS Business Value:
      2 - $$$
    • CS Impact:
      Hide
      Making any error messages more useful is always encouraged.
      These errors are common and just feel like we know it, but we need a better error message.
      Show
      Making any error messages more useful is always encouraged. These errors are common and just feel like we know it, but we need a better error message.
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      Puppet agents printed a cryptic error message when connecting to an SSL server whose certificate did not match the hostname the agent tried to connect to. This was a regression when running on ruby 2.4 or later, due to differences in how ruby reports the mismatched certificate. Puppet has been updated so it prints the expected error message.
      Show
      Puppet agents printed a cryptic error message when connecting to an SSL server whose certificate did not match the hostname the agent tried to connect to. This was a regression when running on ruby 2.4 or later, due to differences in how ruby reports the mismatched certificate. Puppet has been updated so it prints the expected error message.
    • QA Risk Assessment:
      Needs Assessment

      Description

      A common error in enterprise environments is a mismatch between the server setting on the agent and the common name of the master's cert / its dns alt names.

      Today, if this situation occurs the error message the agent prints is as clear as mud. For example:

      # You can't tell, but for this run server=master.tld
      # 
      [root@aws-1 ssl]# puppet agent -t
      Warning: Unable to fetch my node definition, but the agent run will continue:
      Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=master-1.tld]
      Info: Retrieving pluginfacts
      Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=master-1.tld]
      ...
      

      This error message is INCREDIBLY unhelpful. There's kinda-sorta a reference to the master's certificate being master-1.tld, but you can't see in the message that the configured server is master.tld. There's also no reference to other valid alt names.

      What we want:

      The error message should clearly state something along the lines of

      Error: Unable to validate server certificate. Expected "master.tld":
        server certificate common name "master-1.tld" does not match
        server certificate alt name "puppet" does not match
        server certificate alt name "master" does not match
        server certificate alt name "master-alt.tld" does not match
      

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  josh Josh Cooper
                  Reporter:
                  reid Reid Vandewiele
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  8 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support