Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-17

'Could not generate DH keypair' when issuing HTTPS requests to certain servers

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 6.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
      PUP Bug Template
    • Epic Link:
    • Team:
      Froyo
    • Release Notes:
      Not Needed
    • Release Notes Summary:
      Hide
      That this was fixed was found when reviewing existing known issues in our documentation. Since this appears to have been resolved some time ago this PR includes the removal of it from our known issues: https://github.com/puppetlabs/puppetserver/pull/1815
      Show
      That this was fixed was found when reviewing existing known issues in our documentation. Since this appears to have been resolved some time ago this PR includes the removal of it from our known issues: https://github.com/puppetlabs/puppetserver/pull/1815

      Description

      From puppet-dev:

      The only hitch I've had was with the Foreman report processor, which
      makes an HTTPS connection to Apache with mod_ssl. On new OSes with
      modern mod_ssl versions (e.g. EL7 or Ubuntu 14.04), the report processor
      fails to make an HTTPS connection from the JVM with the error:

      2014-09-26 08:56:09,984 ERROR [puppet-server] Report processor failed:
      Could not send report to Foreman at
      https://foreman.example.com/api/reports: Could not generate DH keypair
      ["sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)", ...]

      This is a well-known problem between JVM clients and recent mod_ssl
      versions, as the DH prime length supported by the JVM is limited.
      Adding the DH parameter limits to the server's certificate worked around
      the problem.

      http://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh

      Java 8 worked slightly better in that it accepts 2048 bit parameters,
      but the default combination is still a problem. I guess it might affect
      others using HTTPS from the master.

        Attachments

          Issue Links

          relates to

          Task - A task that needs to be done. SERVER-136 docs for new client ssl configuration

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              chris Chris Price
              QA Contact:
              Erik Dasher
              Votes:
              5 Vote for this issue
              Watchers:
              22 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support