There is a bug in the default puppetmaster vhost that’s included in Ubuntu-10.10’s puppetmaster-passenger package.
# puppetd --server puppet.fqdn --waitforcert 60 --no-usecacheonfailure err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert decrypt error warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run
Lucky for us this is easily fixed using the patch below.
If you have trouble copy/pasting it, here’s a direct link: apache_passenger_tlsv1.patch.
*** puppetmaster Mon Feb 21 15:25:28 2011 --- puppetmaster.new Mon Feb 21 15:25:13 2011 *************** *** 13,19 **** SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. ! SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem # Set to require if this puppetmaster doesn't issue certificates # to puppet clients. # NB: this requires SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem --- 13,20 ---- SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. ! # default: SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem ! SSLCARevocationPath /var/lib/puppet/ssl/ca/crl # Set to require if this puppetmaster doesn't issue certificates # to puppet clients. # NB: this requires SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
You can apply it using:
# patch -i apache_passenger_tlsv1.patch \ /etc/apache2/sites-available/puppetmaster
I’ve already filed a bug and supplied the solution a while ago. It has been confirmed but it’s still not in the default repositories yet, which is beyond my reach.