Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-17

'Could not generate DH keypair' when issuing HTTPS requests to certain servers

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Normal
          • Resolution: Fixed
          • Affects Version/s: None
          • Fix Version/s: SERVER 6.0.0
          • Component/s: None
          • Labels:
            None
          • Release Notes:
            Not Needed
          • Release Notes Summary:
            Hide
            That this was fixed was found when reviewing existing known issues in our documentation. Since this appears to have been resolved some time ago this PR includes the removal of it from our known issues: https://github.com/puppetlabs/puppetserver/pull/1815
            Show
            That this was fixed was found when reviewing existing known issues in our documentation. Since this appears to have been resolved some time ago this PR includes the removal of it from our known issues: https://github.com/puppetlabs/puppetserver/pull/1815

            Description

            From puppet-dev:

            The only hitch I've had was with the Foreman report processor, which
            makes an HTTPS connection to Apache with mod_ssl. On new OSes with
            modern mod_ssl versions (e.g. EL7 or Ubuntu 14.04), the report processor
            fails to make an HTTPS connection from the JVM with the error:

            2014-09-26 08:56:09,984 ERROR [puppet-server] Report processor failed:
            Could not send report to Foreman at
            https://foreman.example.com/api/reports: Could not generate DH keypair
            ["sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)", ...]

            This is a well-known problem between JVM clients and recent mod_ssl
            versions, as the DH prime length supported by the JVM is limited.
            Adding the DH parameter limits to the server's certificate worked around
            the problem.

            http://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh

            Java 8 worked slightly better in that it accepts 2048 bit parameters,
            but the default combination is still a problem. I guess it might affect
            others using HTTPS from the master.

              Attachments

                Issue Links

                relates to

                Task - A task that needs to be done. SERVER-136 docs for new client ssl configuration

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Closed

                  Activity

                    People

                    • Assignee:
                      Unassigned
                      Reporter:
                      chris Chris Price
                      QA Contact:
                      Erik Dasher
                    • Votes:
                      5 Vote for this issue
                      Watchers:
                      22 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved:

                        Zendesk Support