09 November 2012

puppet: error: Could not request certificate: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A

I moved my puppet server from one datacenter to another and in the new one it was behind a firewall. All the hosts were returning the following error:
err: Could not request certificate: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
I goggled a lot about this error. In one comment I found this test that helped me to understand the issue:
# openssl s_client -connect puppet:8140
CONNECTED(00000003)
5714:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
The problem was clear. SSL handshake could not be made. The firewall was set as HTTP over port 8140. Switching to TCP fixed the issue for me, so the root cause was firewall missconfiguration.
# openssl s_client -connect puppet:8140
CONNECTED(00000003)
depth=1 /CN=Puppet CA: puppet.ww.local
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=puppet.ww.local
i:/CN=Puppet CA: puppet.ww.local
1 s:/CN=Puppet CA: puppet.ww.local
i:/CN=Puppet CA: puppet.ww.local
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=puppet.ww.local
issuer=/CN=Puppet CA: puppet.ww.local
---
No client certificate CA names sent
---
SSL handshake has read 1761 bytes and written 331 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: D8D86089190C1CCC687C06C796E870575D7C6303559350E19640DFC8D356316C
Session-ID-ctx:
Master-Key:
AD94A3DF004BF12805BAA34398B19E797144A3A7DC85EBAFC7AEE5156CB53B3FE0C8CF6CAEC1EEE933FA8B1958CC0EC9
Key-Arg : None
Start Time: 1352471306
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---

No comments:

Post a Comment