[Puppet Users] Re: PuppetDB : unable to upgrade 6.5 to 6.9 => SSL errors

Tue, 28 Apr 2020 00:03:55 -0700 

Hello,

Thank you for your reply. My PuppetDB is installed and managed by puppetdb 
puppet module, and I didn't change the certificates since its installation 
years ago (Still valid for one year though).
I will have a try with puppetdb ssl-setup later today.

What I have noticed with openssl, before and after the upgrade to 6.9, 
there are a few different Ciphers used.

echo QUIT | openssl s_client -connect puppetdb:8081 -host puppetdb -port 
8081 -CAfile /etc/puppetlabs/puppet/ssl/certs/ca.pem -status -state 
-showcerts 2>&1

diff -u s_client.65 s_client.69 
--- s_client.65 2020-04-27 16:54:53.887179070 +0200 
+++ s_client.69 2020-04-27 16:59:36.347189451 +0200 
@@ -16,7 +16,7 @@ 
SSL_connect:SSLv3/TLS write finished 
SSL3 alert read:fatal:bad certificate 
SSL_connect:error in error 
-139851809683264:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert 
bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42 
+139950036502336:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert 
bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42 
CONNECTED(00000003) 
OCSP response: no response sent 
--- 
@@ -69,12 +69,12 @@ 
Shared Requested Signature Algorithms: 
ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
 

Peer signing digest: SHA256 
Peer signature type: RSA 
-Server Temp Key: ECDH, P-256, 256 bits 
+Server Temp Key: DH, 1024 bits 
--- 
-SSL handshake has read 2217 bytes and written 499 bytes 
+SSL handshake has read 2411 bytes and written 539 bytes 
Verification: OK 
--- 
-New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA 
+New, TLSv1.2, Cipher is DHE-RSA-AES128-GCM-SHA256 
Server public key is 4096 bit 
Secure Renegotiation IS supported 
Compression: NONE 
@@ -82,14 +82,14 @@ 
No ALPN negotiated 
SSL-Session: 
    Protocol  : TLSv1.2 
-    Cipher    : ECDHE-RSA-AES256-SHA 
-    Session-ID: 
5EA6F235228812A1D39268BEA73CA0538FBD9DB65BDBFE0B2A7B620D619608CF 
+    Cipher    : DHE-RSA-AES128-GCM-SHA256 
+    Session-ID: 
5EA6F33E2ED8579BEF57A377556A369D4E2194D1E009250BCE0D972002D4D0C1 
    Session-ID-ctx:  
-    Master-Key: 
1B3E5AF06F394B30E32D5E957D0F9FC8270C19FCB6BE32FCB27B51E310F2C735F1C0E4AFE4DBFD98A67F53F945C34967
 
+    Master-Key: 
851F2F19D603D607DB9410ED5E945A76AF1408AE8692D4A4AB8A46598C88F9CF82E19748B411C5C0CB33731E856B1681
 
    PSK identity: None 
    PSK identity hint: None 
    SRP username: None 
-    Start Time: 1587999285 
+    Start Time: 1587999550 
    Timeout   : 7200 (sec) 
    Verify return code: 0 (ok) 
    Extended master secret: yes

But we can clearly see the "verify" is ok on 6.9 as well
...
verify return:1
...

Yvan

On Tuesday, April 28, 2020 at 1:48:36 AM UTC+2, comport3 wrote:
>
> "Redo SSL setup after changing certificates 
>
> If you’ve recently changed the certificates in use by the PuppetDB server, 
> you’ll also need to update the SSL configuration for PuppetDB itself.
>
> If you’ve installed PuppetDB from Puppet packages, you can simply re-run 
> the puppetdb ssl-setup command. Otherwise, you’ll need to again perform 
> the SSL configuration steps outlined in the installation instructions 
> <https://puppet.com/docs/puppetdb/latest/install_from_source.html>."
> https://puppet.com/docs/puppetdb/latest/maintain_and_tune.html
>
>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6380dbad-98a3-471c-b265-003991ff978e%40googlegroups.com.

Reply via email to