This is my puppetdb/jetty configuration: agrams@puppet:~$ sudo cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini [sudo] password for agrams: [jetty] host = localhost ssl-host = 0.0.0.0 ssl-port = 8081 ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml cipher-suites = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" ssl-protocols = TLSv1.2 port = 8080
I used these instructions to install and configure Puppet DB: https://puppet.com/docs/puppetdb/latest/install_via_module.html I am also using openjdk 11, not java 8, without issue. agrams@puppet:~$ ps -ef |grep java agrams 19172 18819 0 18:44 pts/0 00:00:00 grep --color=auto java puppet 30754 1 0 Oct26 ? 07:31:10 /usr/bin/java -Xms2G -Xmx2G -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger -XX:OnOutOfMemoryError=kill -9 %p -cp /opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar:/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/facter.jar:/opt/puppetlabs/server/data/puppetserver/jars/* clojure.main -m puppetlabs.trapperkeeper.main --config /etc/puppetlabs/puppetserver/conf.d --bootstrap-config /etc/puppetlabs/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/ --restart-file /opt/puppetlabs/server/data/puppetserver/restartcounter puppetdb 31910 1 0 Oct18 ? 01:41:06 /usr/bin/java -Xmx192m -XX:OnOutOfMemoryError=kill -9 %p -cp /opt/puppetlabs/server/apps/puppetdb/puppetdb.jar clojure.main -m puppetlabs.puppetdb.cli.services --config /etc/puppetlabs/puppetdb/conf.d --bootstrap-config /etc/puppetlabs/puppetdb/bootstrap.cfg --restart-file /opt/puppetlabs/server/data/puppetdb/restartcounter agrams@puppet:~$ /usr/bin/java -version openjdk version "11.0.4" 2019-07-16 OpenJDK Runtime Environment (build 11.0.4+11-post-Ubuntu-1ubuntu218.04.3) OpenJDK 64-Bit Server VM (build 11.0.4+11-post-Ubuntu-1ubuntu218.04.3, mixed mode, sharing) I'm running Puppet 6.7: agrams@puppet:~$ dpkg -l |grep puppet |grep -v foreman ii puppet-agent 6.10.1-1bionic amd64 The Puppet Agent package contains all of the elements needed to run puppet, including ruby, facter, and hiera. ii puppet-agent-oauth 0.5.1-2 all OAuth Core Ruby implementation for Puppet Agent ii puppet-bolt 1.37.0-1bionic amd64 Stand alone task runner ii puppet6-release 6.0.0-5bionic all Release packages for the Puppet 6 repository ii puppetdb 6.7.1-1bionic all Puppet Labs puppetdb ii puppetdb-termini 6.7.1-1bionic all Termini for puppetdb ii puppetserver 6.7.1-1bionic all Puppet Labs puppetserver ii ruby-kafo 3.0.0-1 all Ruby gem for making installations based on puppet user friendly ii ruby-puppet-forge 2.2.9-2 all Access the Puppet Forge API from Ruby ii ruby-semantic-puppet 1.0.2-1 all Useful tools for working with semantic versions with Puppet Is the s_client output you shared the full output? What parameters did you pass to s_client? Puppet DB uses the Puppet Agent certificate for authentication. This is how you can authenticate using the cert/key, and trust the Puppet CA. This is what I would expect to see. root@puppet:~# openssl s_client -connect puppet.x.org:8081 -cert /etc/puppetlabs/puppet/ssl/certs/puppet.x.org.pem -key /etc/puppetlabs/puppet/ssl/private_keys/puppet.x.org.pem -CAfile /etc/puppetlabs/puppet/ssl/certs/ca.pem CONNECTED(00000005) depth=2 CN = Puppet Root CA: ed17137d0debfe verify return:1 depth=1 CN = Puppet CA: puppet.x.org verify return:1 depth=0 CN = puppet.x.org verify return:1 --- Certificate chain 0 s:CN = puppet.x.org i:CN = Puppet CA: puppet.x.org --- Server certificate -----BEGIN CERTIFICATE----- MIIFxDCCA6ygAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDDCJQdXBw ... -----END CERTIFICATE----- subject=CN = puppet.x.org issuer=CN = Puppet CA: puppet.x.org --- Acceptable client certificate CA names CN = Puppet Root CA: ed17137d0debfe CN = Puppet CA: puppet.x.org Client Certificate Types: ECDSA sign, RSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA- PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA- PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+ SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+ SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+ SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+ SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: DH, 1024 bits --- SSL handshake has read 2606 bytes and written 5355 bytes Verification: OK --- New, TLSv1.2, Cipher is DHE-RSA-AES128-SHA256 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES128-SHA256 Session-ID: F1D1F26Dx... Session-ID-ctx: Master-Key: F64D39x... PSK identity: None PSK identity hint: None SRP username: None Start Time: 1573606413 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- These are the relevant configs: root@puppet:~# /opt/puppetlabs/puppet/bin/puppet config print |egrep '(^ca|^cert|\.pem|db|storeconfigs|fore)' ca_fingerprint = ca_name = Puppet CA: puppet.x.org ca_port = 8140 ca_server = puppet.x.org ca_ttl = 157680000 cacert = /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem cacrl = /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem cadir = /etc/puppetlabs/puppet/ssl/ca cakey = /etc/puppetlabs/puppet/ssl/ca/ca_key.pem capub = /etc/puppetlabs/puppet/ssl/ca/ca_pub.pem catalog_cache_terminus = catalog_terminus = compiler cert_inventory = /etc/puppetlabs/puppet/ssl/ca/inventory.txt certdir = /etc/puppetlabs/puppet/ssl/certs certificate_revocation = chain certname = puppet.x.org hostcert = /etc/puppetlabs/puppet/ssl/certs/puppet.x.org.pem hostcrl = /etc/puppetlabs/puppet/ssl/crl.pem hostcsr = /etc/puppetlabs/puppet/ssl/csr_puppet.x.org.pem hostprivkey = /etc/puppetlabs/puppet/ssl/private_keys/puppet.x.org.pem hostpubkey = /etc/puppetlabs/puppet/ssl/public_keys/puppet.x.org.pem localcacert = /etc/puppetlabs/puppet/ssl/certs/ca.pem reports = foreman storeconfigs = false storeconfigs_backend = puppetdb I am using Foreman as well, but merely for viewing agent status, reports, etc. What does '/opt/puppetlabs/puppet/bin/puppet agent -t --debug' show? Looking at the Puppet DB access logs, I see the following 2 request/response pairs: x.x.x.116 - - [12/Nov/2019:19:18:50 -0600] "POST /pdb/cmd/v1?checksum=xxx&version=5&certname=puppettest1.x.org&command=replace_facts&producer-timestamp=2019-11-13T01:18:50.100Z HTTP/1.1" 200 53 "-" "Apache-HttpAsyncClient/4.1.4 (Java/11.0.4)" 6 x.x.x.116 - - [12/Nov/2019:19:18:51 -0600] "POST /pdb/cmd/v1?checksum=xxx&version=9&certname=puppettest1.x.org&command=replace_catalog&producer-timestamp=2019-11-13T01:18:51.829Z HTTP/1.1" 200 53 "-" "Apache-HttpAsyncClient/4.1.4 (Java/11.0.4)" 6 The interesting but here is that the ip address of the client in the puppet db log is the puppet master, not the agent. In my configuration above, i have storeconfigs = false. Maybe this is a difference. Axton On Tuesday, November 12, 2019 at 5:50:09 PM UTC-6, Keyzer Suze wrote: > > Hi > > Did that and mucked around some more and broke it :) so did a yum erase > and cleaned out /etc/puppetlabs directory > > then reinstalled - got r10k working got yaml working and some other things > - packages > > then tried puppetdb, but it keeps failing on ssl test - different this time > > this is what i get from s_client > --- > No client certificate CA names sent > --- > SSL handshake has read 2505 bytes and written 337 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Server public key is 4096 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > B5EA0F1FBF08842917D3CC9340411B1482B2535D958FE72FDE0AE9E36E7C4F34 > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1573602368 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: yes > > > no ciphers !!! > > > this is my setup > # Configure puppetdb and its underlying database > class { 'puppetdb': > manage_package_repo => false, > manage_dbserver => false, > #ssl_protocols => 'TLSv1.1,TLSv1.2', > ssl_protocols => 'TLSv1.2', > listen_address => '0.0.0.0', > manage_firewall => true, > open_listen_port => true, > open_ssl_listen_port => true, > > # disable_ssl => true, > > } > > # Configure the Puppet master to use puppetdb > class { 'puppetdb::master::config': > # puppetdb_disable_ssl => true, > } > > > this is the telling it I think > > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for > InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null] > > > and this is the jetty.ini > cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini > [jetty] > # IP address or hostname to listen for clear-text HTTP. To avoid resolution > # issues, IP addresses are recommended over hostnames. > # Default is `localhost`. > # host = <host> > host = 0.0.0.0 > > # Port to listen on for clear-text HTTP. > port = 8080 > > # The following are SSL specific settings. They can be configured > # automatically with the tool `puppetdb ssl-setup`, which is normally > # ran during package installation. > > # IP address to listen on for HTTPS connections. Hostnames can also be used > # but are not recommended to avoid DNS resolution issues. To listen on all > # interfaces, use `0.0.0.0`. > ssl-host = 0.0.0.0 > > # The port to listen on for HTTPS connections > ssl-port = 8081 > > # Private key path > ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem > > # Public certificate path > ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem > > # Certificate authority path > ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem > > # Access logging configuration path. To turn off access logging > # comment out the line with `access-log-config=...` > access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml > > cipher-suites = > "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" > ssl-protocols = TLSv1.2 > > > I'm guessing the ciphers are wrong or there is something wrong with the > cipher setup ? Maybe It should be a ersa (the certs used for the eliptical > ciphers). or maybe dh params are missing ? I'm not sure - i would have > thought puppetdb would work out the box ! > > also I am using > java -version > openjdk version "11.0.5" 2019-10-15 LTS > OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS) > OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing) > > not jdk8 > > > > > > On Tue, Nov 12, 2019 at 2:06 PM gramsa49 <[email protected] <javascript:>> > wrote: > >> Check that the cert used by puppetdb matches the puppet ca. >> >> First the Puppet DB: >> >> root@puppettest1:~# openssl s_client -connect puppet:8140 >> CONNECTED(00000005) >> depth=2 CN = Puppet Root CA: ed17137d0debfe >> verify error:num=19:self signed certificate in certificate chain >> --- >> Certificate chain >> 0 s:CN = puppet.x.org >> i:CN = Puppet CA: puppet.x.org >> 1 s:CN = Puppet CA: puppet.x.org >> i:CN = Puppet Root CA: ed17137d0debfe >> 2 s:CN = Puppet Root CA: ed17137d0debfe >> i:CN = Puppet Root CA: ed17137d0debfe >> >> Then the local copy of the Puppet CA cert: >> >> root@puppettest1:~# ll /etc/puppetlabs/puppet/ssl/certs/ca.pem >> -rw-r--r-- 1 root root 3866 Oct 20 22:31 /etc/puppetlabs/puppet/ssl/certs >> /ca.pem >> root@puppettest1:~# openssl x509 -in >> /etc/puppetlabs/puppet/ssl/certs/ca.pem -text -noout >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 2 (0x2) >> Signature Algorithm: sha256WithRSAEncryption >> Issuer: CN = Puppet Root CA: ed17137d0debfe >> Validity >> Not Before: Oct 17 20:04:48 2019 GMT >> Not After : Oct 14 20:04:55 2034 GMT >> Subject: CN = Puppet CA: puppet.x.org >> >> I believe that as long as the certificate used by Puppet DB is issued by >> the Puppet CA, the Puppet Agent will trust the certificate. >> >> Axton >> >> On Sunday, November 10, 2019 at 10:12:03 PM UTC-6, Keyzer Suze wrote: >>> >>> Hi >>> >>> I have just installed a new version of puppet (latest) in to centos 8. >>> >>> when i try and puppet agent --test it fails attempting to connect to >>> puppetdb - unable to verify cert. >>> >>> if i use wget (after i added the puppet ca into the OS root ca bundle) >>> it works >>> >>> where or how to i do the same for ruby ? >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/91467793-a23e-41ec-951f-b3443a1a6b6e%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/91467793-a23e-41ec-951f-b3443a1a6b6e%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/cf8f96da-16a5-4771-9fbe-318b20aebe7e%40googlegroups.com.
