Chris Phillips
2011-05-26 10:17:27 UTC
Hi,
I've rolled out an environment where func is using the puppet certs. I have
a handful of old el4 boxes and *thought* func was OK on them until I came to
use than and found that 0.24 doesn't support the puppet certs, and the
chances of upgrading the whole chaining of dependencies (including python
2.3 -> 2.4) is just a no go.
So instead I commented out the attempt to hit certmaster, which
is obviously not being used, and sylinked the puppet certs to the normal
func locations. After doing this, the func daemon does start and listen, but
doesn't actually do anything with no sign of server side errors with DEBUG
enabled in the log.
It seems that it just doesn't serve the cert at all. Using openssl -s_client
on it, I just get:
openssl s_client -connect hostname:51234
CONNECTED(00000003)
140144621885256:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:674:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
ANyone have any ideas about any way to nudge func into life with these
alternative certs? I suppose it has to be some attribute of the certificate
as created by openssl libraries on an el6 server, being used on an el4
client, but I've not a clue what, and would doubt it's possible to change
the attributes of the certs.
Thanks
Chris
I've rolled out an environment where func is using the puppet certs. I have
a handful of old el4 boxes and *thought* func was OK on them until I came to
use than and found that 0.24 doesn't support the puppet certs, and the
chances of upgrading the whole chaining of dependencies (including python
2.3 -> 2.4) is just a no go.
So instead I commented out the attempt to hit certmaster, which
is obviously not being used, and sylinked the puppet certs to the normal
func locations. After doing this, the func daemon does start and listen, but
doesn't actually do anything with no sign of server side errors with DEBUG
enabled in the log.
It seems that it just doesn't serve the cert at all. Using openssl -s_client
on it, I just get:
openssl s_client -connect hostname:51234
CONNECTED(00000003)
140144621885256:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:674:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
ANyone have any ideas about any way to nudge func into life with these
alternative certs? I suppose it has to be some attribute of the certificate
as created by openssl libraries on an el6 server, being used on an el4
client, but I've not a clue what, and would doubt it's possible to change
the attributes of the certs.
Thanks
Chris