SSL_connect returned=1 errno=0 state=error: dh key too small

theforeman / puppetdb_foreman

PuppetDB proxy in Foreman

http://theforeman.org

GNU General Public License v3.0

32 stars 23 forks source link

SSL_connect returned=1 errno=0 state=error: dh key too small #68

Closed zaiwen2020 closed 4 years ago

zaiwen2020 commented 4 years ago

Hi,

I am installing Foreman 2.1 with Puppetsever 6.11 and PuppetDB 6.10. They are all on one machine which is a RedHat 8.2.

Foreman, puppetserver and PuppetDB all install fine. "puppet agent -t" is successful.

Then I install foreman puppetdb plugin:

    # gedit /etc/foreman-installer/scenarios.d/foreman-answers.yaml
        puppetdb plug in: true

    # foreman-installer --foreman-initial-admin-password=admin -i -v

The install finished fine. And I log on to Foreman console, go to Administer > Settings > PuppetDB and set puppetdb_address with my PuppetDB address.

Everything seems fine. However, when I click on Foreman console left side "Monitor" -> "PuppetDB Nodes", got error:

"Oops, we're sorry but something went wrong SSL_connect returned=1 errno=0 state=error: dh key too small"

Please advise.

Thanks, Zaiwen

zaiwen2020 commented 4 years ago

Hi,

I found this article: https://tickets.puppetlabs.com/browse/PUP-10212

When accessing PuppetDB or RBAC endpoints via curl, SSL negotiation fails with error tls_process_ske_dhe:dh key too small

As a workaround, bypass autonegotiation by specifying a cipher that is mutually acceptable to client and server, such as --cipher ECDHE-RSA-AES256-GCM-SHA384

This workaround works if I run curl on terminal, but how to fix it for Foreman console link "PuppetDB Nodes"?

Thanks, Zaiwen

zaiwen2020 commented 4 years ago

After battling it out, I finally found my solution!

The workaround is to manually set PuppetDB's cipher-suites setting to the following list in file /etc/puppetlabs/puppetdb/conf.d/jetty.ini:

TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

I got hints from: https://github.com/voxpupuli/puppetboard/issues/535 https://tickets.puppetlabs.com/browse/PDB-4513

Thanks, Zaiwen