There is a bug in the default puppetmaster vhost that’s included in Ubuntu-10.10’s puppetmaster-passenger package.
# puppetd --server puppet.fqdn --waitforcert 60 --no-usecacheonfailure err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert decrypt error warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run
Lucky for us this is easily fixed using the patch below.
If you have trouble copy/pasting it, here’s a direct link: apache_passenger_tlsv1.patch.
*** puppetmaster Mon Feb 21 15:25:28 2011
--- puppetmaster.new Mon Feb 21 15:25:13 2011
***************
*** 13,19 ****
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
! SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# Set to require if this puppetmaster doesn't issue certificates
# to puppet clients.
# NB: this requires SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
--- 13,20 ----
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
! # default: SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
! SSLCARevocationPath /var/lib/puppet/ssl/ca/crl
# Set to require if this puppetmaster doesn't issue certificates
# to puppet clients.
# NB: this requires SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
You can apply it using:
# patch -i apache_passenger_tlsv1.patch \ /etc/apache2/sites-available/puppetmaster
I’ve already filed a bug and supplied the solution a while ago. It has been confirmed but it’s still not in the default repositories yet, which is beyond my reach.