search

casdev-github / cassandra

0 stars 0 forks source link

puppet error #2

Open casdev-github opened 7 years ago

casdev-github commented 7 years ago 
[2017-07-09T23:02:26.982393 #288524] ERROR -- : activemq.rb:131:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@puppetmaster:61613 failed: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate request A: dh key too small
I, [2017-07-09T23:02:26.982566 #288524]  INFO -- : activemq.rb:111:in `on_connectfail' TCP Connection to stomp+ssl://mcollective@puppetmaster:61613 failed on attempt 2348
I, [2017-07-09T23:02:56.984360 #288524]  INFO -- : activemq.rb:121:in `on_ssl_connecting' Estblishing SSL session with stomp+ssl://mcollective@puppetmaster:61613
I, [2017-07-09T23:02:56.984785 #288524]  INFO -- : activemq.rb:96:in `on_connecting' TCP Connection attempt 2349 to stomp+ssl://mcollective@puppetmaster:61613
E, [2017-07-09T23:02:57.050970 #288524] ERROR -- : activemq.rb:131:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@puppetmaster:61613 failed: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate request A: dh key too small
I, [2017-07-09T23:02:57.051261 #288524]  INFO -- : activemq.rb:111:in `on_connectfail' TCP Connection to stomp+ssl://mcollective@puppetmaster:61613 failed on attempt 2349
I, [2017-07-09T23:03:27.052904 #288524]  INFO -- : activemq.rb:121:in `on_ssl_connecting' Estblishing SSL session with stomp+ssl://mcollective@puppetmaster:61613
I, [2017-07-09T23:03:27.053491 #288524]  INFO -- : activemq.rb:96:in `on_connecting' TCP Connection attempt 2350 to stomp+ssl://mcollective@puppetmaster:61613
E, [2017-07-09T23:03:27.119006 #288524] ERROR -- : activemq.rb:131:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@puppetmaster:61613 failed: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate request A: dh key too small
I, [2017-07-09T23:03:27.119307 #288524]  INFO -- : activemq.rb:111:in `on_connectfail' TCP Connection to stomp+ssl://mcollective@puppetmaster:61613 failed on attempt 2350

PuppetMaster ngenable localhost mco puppet enable -I nodeHostName

RUN:: USING HOST nodeHostName

RUN:: mco puppet enable -I nodeHostName

| [ > ] 0 / 1 Summary of Enabled: No aggregate summary could be computed Finished processing 0 / 1 hosts in 22002.52 ms No response from: nodeHostName

casdev-github commented 7 years ago 
puppet agent --version
3.8.6
centos 6.9
casdev-github commented 7 years ago

https://docs.puppet.com/pe/latest/trouble_comms.html

https://docs.puppet.com/pe/latest/trouble_orchestration.html

https://docs.puppet.com/pe/latest/trouble_dh_generate.html

casdev-github commented 7 years ago

on the master/ca server you need to run: puppet cert clean client-certname on the client rm -rf /var/lib/puppet/ssl then on the client: puppet agent --server servername --waitforcert 60

casdev-github commented 7 years ago

https://docs.puppet.com/pe/latest/agent_cert_regen.html https://docs.puppet.com/puppet/5.0/ssl_regenerate_certificates.html https://docs.puppet.com/mcollective/ https://docs.puppet.com/puppet/latest/man/certificate.html

casdev-github commented 7 years ago

https://www.madboa.com/geek/openssl/#how-do-i-find-out-what-openssl-version-i-m-running https://www.madboa.com/geek/openssl/

Name : openssl Arch : i686 Version : 1.0.1e Release : 48.el6_8.3 Size : 3.9 M Repo : installed From repo : RHEL6-2H16.3

Name : openssl Arch : i686 Version : 0.9.8e Release : 42.el5_11 Size : 3.9 M Repo : installed

Name : openssl Arch : x86_64 Version : 1.0.1e Release : 57.el6 Size : 4.1 M Repo : installed From repo : RHEL6-2H16.10

casdev-github commented 7 years ago

https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/news/cl102.txt https://unix.stackexchange.com/questions/333877/how-to-find-which-key-exactly-dh-key-too-small-openssl-error-is-about https://github.com/rapid7/metasploit-framework/issues/6783 Following these findings, we have started to more aggressively revise the cryptographic defaults in OpenSSL. The following changes are either already released or coming up in the next releases of our supported stable branches.

Changes affecting OpenSSL 1.0.1 and OpenSSL 1.0.2: OpenSSL clients will reject connections with DH parameters shorter than 768 bits. As an unfortunately large number of servers use 768-bit parameters still, we’ll be giving them a short grace period to upgrade, with a keen eye out to raising the limit to 1024 bits soon. [OpenSSL 1.0.2b (next release), OpenSSL 1.0.1n (next release)] Export cipher suites are disabled by default. [OpenSSL 1.0.2a (current release), OpenSSL 1.0.1m (current release)] The openssl dhparam tool generates 2048-bit DH parameters by default. [OpenSSL 1.0.2 (all releases), OpenSSL 1.0.1n (next release)]. You can use an earlier version of the tool to generate secure parameters as well - just make sure to specify the bitlength explicitly: