Closed zaiwen2020 closed 4 years ago
Hi,
I found this article: https://tickets.puppetlabs.com/browse/PUP-10212
When accessing PuppetDB or RBAC endpoints via curl, SSL negotiation fails with error tls_process_ske_dhe:dh key too small
As a workaround, bypass autonegotiation by specifying a cipher that is mutually acceptable to client and server, such as --cipher ECDHE-RSA-AES256-GCM-SHA384
This workaround works if I run curl on terminal, but how to fix it for Foreman console link "PuppetDB Nodes"?
Thanks, Zaiwen
After battling it out, I finally found my solution!
The workaround is to manually set PuppetDB's cipher-suites setting to the following list in file /etc/puppetlabs/puppetdb/conf.d/jetty.ini:
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
I got hints from: https://github.com/voxpupuli/puppetboard/issues/535 https://tickets.puppetlabs.com/browse/PDB-4513
Thanks, Zaiwen
Hi,
I am installing Foreman 2.1 with Puppetsever 6.11 and PuppetDB 6.10. They are all on one machine which is a RedHat 8.2.
Foreman, puppetserver and PuppetDB all install fine. "puppet agent -t" is successful.
Then I install foreman puppetdb plugin:
The install finished fine. And I log on to Foreman console, go to Administer > Settings > PuppetDB and set puppetdb_address with my PuppetDB address.
Everything seems fine. However, when I click on Foreman console left side "Monitor" -> "PuppetDB Nodes", got error:
"Oops, we're sorry but something went wrong SSL_connect returned=1 errno=0 state=error: dh key too small"
Please advise.
Thanks, Zaiwen