Puppet: System Administration Automated

Support

Ticket #983 (closed defect: fixed)

Opened 11 months ago

Last modified 10 months ago

certificate signing fails: nested asn1 error (Puppet::Error)

Reported by: do Assigned to: community
Priority: normal Milestone:
Component: library Version: 0.24.1
Severity: critical Keywords: ssl asn nested certificates
Cc: Triage Stage: Needs more info
Attached Patches: None Complexity: Unknown

Description

I have a puppet client with puppet (both versions 0.23.2 and 0.24.1 have the same error) and puppetmaster(s) (again version 0.24.1 and 0.23.2) where signing its certificate fails: on the client I get: 

debug: Calling puppetca.getcert
/usr/lib/ruby/1.8/puppet/network/xmlrpc/client.rb:55:in `getcert'
/usr/lib/ruby/1.8/puppet/network/client/ca.rb:26:in `request_cert'
/usr/sbin/puppetd:346
/usr/lib/ruby/1.8/puppet/network/client/ca.rb:31:in `request_cert': Certificate retrieval failed: nested asn1 error (Puppet::Error)
        from /usr/sbin/puppetd:346

and on the server (version 0.23.2) 

notice: Allowing unauthenticated client FQDN (IP) access to puppetca.getcert
info: Signing certificate for FQDN
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:28:in `initialize'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:28:in `new'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:28:in `init'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:27:in `glob'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:27:in `init'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:16:in `add'
/usr/lib/ruby/1.8/puppet/util/config.rb:676:in `write'
/usr/lib/ruby/1.8/puppet/util/config.rb:675:in `open'
/usr/lib/ruby/1.8/puppet/util/config.rb:675:in `write'
/usr/lib/ruby/1.8/puppet/util/suidmanager.rb:33:in `asuser'
/usr/lib/ruby/1.8/puppet/util/config.rb:666:in `write'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:14:in `add'
/usr/lib/ruby/1.8/puppet/sslcertificates/ca.rb:289:in `storeclientcert'
/usr/lib/ruby/1.8/puppet/sslcertificates/ca.rb:258:in `sign'
/usr/lib/ruby/1.8/puppet/network/handler/ca.rb:120:in `getcert'
/usr/share/rails/activerecord/lib/../../activesupport/lib/active_support/dependencies.rb:147:in `to_proc'
/usr/lib/ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `call'
/usr/lib/ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `protect_service'
/usr/lib/ruby/1.8/puppet/network/xmlrpc/processor.rb:85:in `setup_processor'
/usr/lib/ruby/1.8/xmlrpc/server.rb:336:in `call'
/usr/lib/ruby/1.8/xmlrpc/server.rb:336:in `dispatch'
/usr/lib/ruby/1.8/xmlrpc/server.rb:323:in `each'
/usr/lib/ruby/1.8/xmlrpc/server.rb:323:in `dispatch'
/usr/lib/ruby/1.8/xmlrpc/server.rb:366:in `call_method'
/usr/lib/ruby/1.8/xmlrpc/server.rb:378:in `handle'
/usr/lib/ruby/1.8/puppet/network/xmlrpc/processor.rb:44:in `process'
/usr/lib/ruby/1.8/puppet/network/xmlrpc/webrick_servlet.rb:68:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
/usr/lib/ruby/1.8/puppet.rb:334:in `start'
/usr/lib/ruby/1.8/puppet.rb:185:in `newthread'
/usr/lib/ruby/1.8/puppet.rb:184:in `initialize'
/usr/lib/ruby/1.8/puppet.rb:184:in `new'
/usr/lib/ruby/1.8/puppet.rb:184:in `newthread'
/usr/lib/ruby/1.8/puppet.rb:332:in `start'
/usr/lib/ruby/1.8/puppet.rb:331:in `each'
/usr/lib/ruby/1.8/puppet.rb:331:in `start'
/usr/sbin/puppetmasterd:298
err: Could not call: nested asn1 error

with puppetmaster version 0.24.1 I get: 

/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:25:in `initialize'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:25:in `new'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:25:in `init'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:24:in `glob'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:24:in `init'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:15:in `add'
/usr/lib/ruby/1.8/puppet/util/settings.rb:766:in `write'
/usr/lib/ruby/1.8/puppet/util/settings.rb:765:in `open'
/usr/lib/ruby/1.8/puppet/util/settings.rb:765:in `write'
/usr/lib/ruby/1.8/puppet/util/suidmanager.rb:25:in `asuser'
/usr/lib/ruby/1.8/puppet/util/settings.rb:756:in `write'
/usr/lib/ruby/1.8/puppet/sslcertificates/inventory.rb:14:in `add'
/usr/lib/ruby/1.8/puppet/sslcertificates/ca.rb:331:in `storeclientcert'
/usr/lib/ruby/1.8/puppet/sslcertificates/ca.rb:300:in `sign'
/usr/lib/ruby/1.8/puppet/network/handler/ca.rb:120:in `getcert'
/usr/share/rails/activerecord/lib/../../activesupport/lib/active_support/dependencies.rb:147:in `to_proc'
/usr/lib/ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `call'
/usr/lib/ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `protect_service'
/usr/lib/ruby/1.8/puppet/network/xmlrpc/processor.rb:85:in `setup_processor'
/usr/lib/ruby/1.8/xmlrpc/server.rb:336:in `call'
/usr/lib/ruby/1.8/xmlrpc/server.rb:336:in `dispatch'
/usr/lib/ruby/1.8/xmlrpc/server.rb:323:in `each'
/usr/lib/ruby/1.8/xmlrpc/server.rb:323:in `dispatch'
/usr/lib/ruby/1.8/xmlrpc/server.rb:366:in `call_method'
/usr/lib/ruby/1.8/xmlrpc/server.rb:378:in `handle'
/usr/lib/ruby/1.8/puppet/network/xmlrpc/processor.rb:44:in `process'
/usr/lib/ruby/1.8/puppet/network/xmlrpc/webrick_servlet.rb:68:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
/usr/lib/ruby/1.8/puppet.rb:336:in `start'
/usr/lib/ruby/1.8/puppet.rb:187:in `newthread'
/usr/lib/ruby/1.8/puppet.rb:186:in `initialize'
/usr/lib/ruby/1.8/puppet.rb:186:in `new'
/usr/lib/ruby/1.8/puppet.rb:186:in `newthread'
/usr/lib/ruby/1.8/puppet.rb:334:in `start'
/usr/lib/ruby/1.8/puppet.rb:333:in `each'
/usr/lib/ruby/1.8/puppet.rb:333:in `start'
/usr/sbin/puppetmasterd:281
err: Could not call: nested asn1 error

I had ssl libraries for ruby and openssl from unstable, donwgraded both the server and the client in question to debian-everything-stable the problem did not change at all.

Additionally I have a host which runs puppetmasterd 0.23.2 with mongrel, this produces the same error. The server from above does not run with mongrel.

All other hosts (which already have certificates) work fine, I already deleted the signed certificates for the client, I also deleted all of "ssl/*" on the client and made sure that it uses the proper directories for its ssl-stuff (both on the server and the client).

Can someone give me a hint, where the problem might lie?

Thanks, udo.

Change History

01/18/08 11:45:46 changed by jamtur01

  • keywords set to ssl asn nested certificates.
  • stage changed from Unreviewed to Needs more info.

Hi - what's the platform here? Debian/Ubuntu? Versions?

01/19/08 12:55:02 changed by do

It is Debian Etch 4.0r1 with: 

ii  libopenssl-ruby            1.0.0+ruby1.8.2-1
ii  libopenssl-ruby1.8      1.8.6.111-3
ii  openssl                           0.9.8c-4etch1

also, I have tried openssl from unstable (version 0.9.8g-4).

The tests were all done with the same version of puppetmaster and puppet (0.23.2 and 0.24.1) as well as different versions of master and client, as well as both openssl versions on both client and master.

(follow-up: ↓ 4 ) 01/19/08 13:57:43 changed by jamtur01

So its only one client - running Debian Etchrc1- all other client hosts are okay?

(in reply to: ↑ 3 ) 01/21/08 11:10:06 changed by do

Replying to jamtur01:

So its only one client - running Debian Etchrc1- all other client hosts are okay?

all hosts are "Debian Etch 4.0r2".

- The majority have openssl 0.9.8c-4etch1, some have openssl from unstable. On both types, the error happens

- Those machines which already have/had a certificate are ok, those which should get a new one have the error.

- The signing request is created on the client, the request is signed on the puppetmaster.

I now have 2 machines which changed their domainname, thus they should get new certificates. But they don't, due to this error.

01/21/08 11:33:05 changed by do

I just realized that the same error happenes with "Mac OS X 10.4.11" and "puppet 0.23.0", it seems to me that the error is to be found on the puppetmaster and not on the clients.

01/22/08 15:08:20 changed by do

  • version set to 0.24.1.

I have found the following URL, where at the end of the comments someone says that the country-code in the certificate is not a 2-letter code. http://www.intertwingly.net/blog/2007/11/01/Apache2-https-and-Gutsy-Gibbon
Trying to test the certificate with the bash: 

$openssl x509 -in csr_puppetmaster-dev....pem -noout -serial

yields: 

unable to load certificate
22158:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE

01/23/08 10:00:14 changed by do

  • status changed from new to closed.
  • resolution set to fixed.
  • severity changed from normal to critical.

Now I have decided to delete all ssl-certificates. The server generated a new one, I had to delete the 'ssl' dir on all clients, now everything works fine again...
Nevertheless, it would be nice if such radical things are not necessary. Especially since it is necessary to visit all clients an do things manually in order to make automatic things work again. CSSH to the rescue!