search

puppetlabs / pupperware

Container fun time lives here.
Other
183 stars 67 forks source link

openssl s_client "unable to verify the first certificate" #145

Closed greenyoda closed 3 years ago

greenyoda commented 5 years ago

Describe the Bug

The certificate chain looks faulty on pupperware both via openssl s_client or a browser.

Browser: Secure Connection Failed

openssl:

openssl s_client -showcerts -connect puppetdb.internal:32782
CONNECTED(00000003)
depth=0 CN = puppetdb.internal
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = puppetdb.internal
verify error:num=21:unable to verify the first certificate
verify return:1
139832684724288:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1407:SSL alert number 42
---
Certificate chain
 0 s:/CN=puppetdb.internal
   i:/CN=Puppet CA: puppet.internal
-----BEGIN CERTIFICATE-----
MIIFczCCA1ugAwIBAgIBAzANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDDBpQdXBw
ZXQgQ0E6IHB1cHBldC5pbnRlcm5hbDAeFw0xOTA5MTQxOTU0MzFaFw0yNDA5MTMx
OTU0MzFaMBwxGjAYBgNVBAMMEXB1cHBldGRiLmludGVybmFsMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEArDIAOpC2F7BOtQJ/OkTTMnxEtW3z96AAytfw
R9zMZHWy54S6uzEJ7q0i9SS4Hew4PxkmRFAoFp2GIoNs6OXpkyYdRapClsWlrOWN
DU43EEn8uCPUpRpKNUPuzAD6OQOkjwsFqbjjAuF0UNSpbUXEvdzUNfAsMythrsYF
yO0e3b7Nm8gWibClV725fZZV+SiRGbALqHjvR7JnFxRZBLY9sobKEzEpE1+D6GiZ
4Dl/312pFS0mp1qrFqD3uvBuZ+EUM7pCXTUaZ8pd6td4nFLZi1Nfkxn6fLpKFwO+
Q/gxN9CXJKw6Rg/U++sYroNi4OEdjq0wUhp1uumdjeaLFpQtf0PXcok44uZ2gZy/
VznK3xKU6IPhWhnAYEYy8ZUfZnPfXIrL2D/lEYOB55M/i5ZiWZNZfgD9FluiTh+/
WnDBfq/Z5tSio/nO6oyLtOtDCvy9yc76fBhGaDfmwLzzWG3qE49f89L2Uvn8kJjW
Tk4RAIMqxAhohodEPRr2HXqhJPAQZCXUteRvCbGxwEVtU6CD2IMGocbLv5LQlUv/
1QbcDndbqhVs+V8VtJq2/xtVsviSrEAy2BhKdPjLxopIYX+QwQlkqi7E8dY++AsJ
rkoBdmvgu/jzI6RCp04zE25FBXwTeEN4wkuVTIQxBMdIiWHhckv8HpGUDE786VMQ
r58zExkCAwEAAaOBtjCBszAxBglghkgBhvhCAQ0EJBYiUHVwcGV0IFNlcnZlciBJ
bnRlcm5hbCBDZXJ0aWZpY2F0ZTAfBgNVHSMEGDAWgBQvdlQ/NXXHuXb+ZbyEtj6Z
zqavszAdBgNVHQ4EFgQUxdTlLdy0Iq9S+al5/maKiuf2N+kwDAYDVR0TAQH/BAIw
ADAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
AgWgMA0GCSqGSIb3DQEBCwUAA4ICAQCNl+vErR8z99l0bOfmhoTKO/ggNTd0MjGs
t2nTKgtZdSIojZIGKyST2ijHEsJ60ftxY3gNmpnzCrZgb+imxu7+x1kBFCZoJq+D
lyUndfk/JA88/QxbedhoDHiriLTa/NMuz2+CHj14eiz7CGfJ4M5gehy+5tB7229J
u00pJ7SVgMOeuxwsDSuN9HTaEw/ycfXzMZxu/eithM5kwW8QCh/PsnpVuVVKrwVE
OEkcK2Et1XG0hmqeRvpIq9isO1P9zsHQxkEV4UNKgyV7Lg8vrkxUa7cWT9s+fHuz
37kFYhNAnMtnO1+sX8sHyRMem9LOujaQSL9iAFVmDhwBIr2tNyOD8PK+xgdUh6Lc
x2EMPMv8Nm6q6SqF49fgEsyr93bAaRIUaDfFONFhuKxgRAAnMqbnB1RtnyJIbMeX
TBvAjPHDe2zn3UxpeKm7Rr392pyH+hkHgzG5YQhpY17z2PWj/3/gO+ZKoseChIM0
qH8rRinR9ThrofvDodvRThw16DTSyCtR3uCgbLRQwj1xZCLOnqSxQeu3DDLQoDwa
4/8W5N4nT1se8NKHmZCsYfazB2/der58WiA21tUecb+TX2d9lhsnx7ARh9UJ7DoP
cA6xUn3VYHEFmwa1Q4i11qNN4Ms560aOy2bGkYRNIB260/oIdyRr80/CS/aPFvd9
GhO5YY0/rA==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=puppetdb.internal
issuer=/CN=Puppet CA: puppet.internal
---
Acceptable client certificate CA names
/CN=Puppet CA: puppet.internal
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2372 bytes and written 378 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is DHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES128-GCM-SHA256
    Session-ID: 5D7E9AFF8D38DD433FBA8484D43314BB49BC830C4D88D96603BCF15267F628D4
    Session-ID-ctx: 
    Master-Key: 2601C7F198C4698B3BD551EB3B8EE2DC7466E1FC193C653668FA4071F80CD627900CDD9192B3480AB024AEA91704F683
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1568578303
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---

Expected Behavior

Login page to load.

Steps to Reproduce

git clone https://github.com/puppetlabs/pupperware
cd pupperware
DNS_ALT_NAMES=puppet docker-compose up -d

Environment

git branch -vvv
* master ab5b6d9 [origin/master] (maint) Use named volumes in compose where possible (#129)
docker-compose version 1.24.1, build 4667896
docker version
Client: Docker Engine - Community
 Version:           19.03.2
 API version:       1.40
 Go version:        go1.12.8
 Git commit:        6a30dfc
 Built:             Thu Aug 29 05:28:55 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.2
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.8
  Git commit:       6a30dfc
  Built:            Thu Aug 29 05:27:34 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683
CONTAINER ID        IMAGE                       COMMAND                  CREATED             STATUS                    PORTS                                              NAMES
e19d4f6df666        puppet/puppetdb             "/usr/bin/tini -g --…"   25 minutes ago      Up 16 minutes (healthy)   0.0.0.0:32783->8080/tcp, 0.0.0.0:32782->8081/tcp   pupperware_puppetdb_1
483dfb48709d        puppet/puppetserver:6.4.0   "dumb-init /docker-e…"   25 minutes ago      Up 16 minutes (healthy)   0.0.0.0:8140->8140/tcp                             pupperware_puppet_1
d45a0d140fbc        postgres:9.6                "docker-entrypoint.s…"   25 minutes ago      Up 16 minutes (healthy)   5432/tcp                                           pupperware_postgres_1
docker exec -it e19d4f6df666 /bin/bash
root@puppetdb:/# hostname
puppetdb.internal
root@puppetdb:/# host puppet
puppet has address 172.20.0.3

docker exec -it 483dfb48709d /bin/bash
root@puppet:/# hostname
puppet.internal

docker inspect e19d4f6df666 | grep 172
                    "Gateway": "172.20.0.1",
                    "IPAddress": "172.20.0.2",

docker inspect 483dfb48709d | grep 172
            "SandboxID": "58172b70e551993d9126c238b914398713e4e1c3773ac9867c82ce68b66932e5",
            "SandboxKey": "/var/run/docker/netns/58172b70e551",
                    "Gateway": "172.20.0.1",
                    "IPAddress": "172.20.0.3",

Additional Context

Add any other context about the problem here.

underscorgan commented 5 years ago

Hi @greenyoda,

I will definitely look into this, but just for a bit more context what login page are you trying to get to load? Pupperware doesn't have any GUI components.

Thanks!

greenyoda commented 5 years ago

Hi @underscorgan, I assumed pupperware had a front on https://puppetdb.internal:32782 / https://puppetdb.internal:8081 ?

http://puppetdb.internal:32783 loads fine.

thanks John

underscorgan commented 5 years ago

Hi @greenyoda,

This seems to be related to the fact that the puppetserver uses a self-signed CA cert to generate certs for all the nodes. If I download the ca.pem file from the puppetdb container, I can run openssl s_client -showcerts -CAfile ca.pem -connect localhost:32768 and verify the cert for the puppetdb ssl port.

I'm guessign in the browser you'll both need to add the CA as a trusted cert and also use the private key from one of the hosts to authenticate

Iristyle commented 3 years ago

Closing this one as its outdated and I don't believe it's an actual issue.

Thanks for submitting!