Re: 0.24 not serving puppet provided certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

OK, so the s_client was misleading, TLS vs SSLv3... with SSLv3 on both sides it does work for s_client, however func still isn't happy, which func saying:

{'hostname.domain.local': ['REMOTE_ERROR',
                                    'xmlrpclib.Fault',
                                    '<Fault 1: "OpenSSL.crypto.Error:[(\'asn1 encoding routines\', \'ASN1_mbstring_copy\', \'unknown format\')]">',
                                    '  File "/usr/lib/python2.6/site-packages/func/overlord/client.py", line 881, in process_server\n    retval = getattr(conn, meth)(*args[:])\n   File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__\n    return self.__send(self.__name, args)\n   File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request\n    verbose=self.__verbose\n   File "/usr/lib64/python2.6/xmlrpclib.py", line 1253, in request\n    return self._parse_response(h.getfile(), sock)\n   File "/usr/lib64/python2.6/xmlrpclib.py", line 1392, in _parse_response\n    return u.close()\n   File "/usr/lib64/python2.6/xmlrpclib.py", line 838, in close\n    raise Fault(**self._stack[0])\n']}

Which was actually the error I've always been having form func. With tcpdump I think I see the handshake complete and a k or so of application data (or would that be the cert going over?) This unknown format error maybe apparently be something about hostname verification? Any pointers appreciated.

Thanks

Chris

On 26 May 2011 11:17, Chris Phillips <chris@xxxxxxxxxxxx> wrote:
Hi,

I've rolled out an environment where func is using the puppet certs. I have a handful of old el4 boxes and *thought* func was OK on them until I came to use than and found that 0.24 doesn't support the puppet certs, and the chances of upgrading the whole chaining of dependencies (including python 2.3 -> 2.4) is just a no go.

So instead I commented out the attempt to hit certmaster, which is obviously not being used, and sylinked the puppet certs to the normal func locations. After doing this, the func daemon does start and listen, but doesn't actually do anything with no sign of server side errors with DEBUG enabled in the log.

It seems that it just doesn't serve the cert at all. Using openssl -s_client on it, I just get:

openssl s_client -connect hostname:51234
CONNECTED(00000003)
140144621885256:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:674:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

ANyone have any ideas about any way to nudge func into life with these alternative certs? I suppose it has to be some attribute of the certificate as created by openssl libraries on an el6 server, being used on an el4 client, but I've not a clue what, and would doubt it's possible to change the attributes of the certs.

Thanks

Chris

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list

[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux