FAQ
I inherited an old installation (0.24) that's been trouble-free until
recently, when I started getting these error messages from a single
machine:

Failed to retrieve current state of resource: Certificates were not
trusted: SSL_read:: decryption failed or bad record mac Could not
describe /tomcat/ROOT.xml: Certificates were not trusted: SSL_read::
decryption failed or bad record mac

I don't find evidence of a hardware problem on the machine. The next
puppet run succeeds; the problem happens once every few days. Anyone
have pointers on how to troubleshoot this or ideas on what the issue
could be?

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Jeff McCune at Jun 11, 2012 at 7:45 pm

    On Mon, Jun 11, 2012 at 11:34 AM, wrote:
    I inherited an old installation (0.24) that's been trouble-free until
    recently, when I started getting these error messages from a single
    machine:

    Failed to retrieve current state of resource: Certificates were not
    trusted: SSL_read:: decryption failed or bad record mac Could not
    describe /tomcat/ROOT.xml: Certificates were not trusted: SSL_read::
    decryption failed or bad record mac

    I don't find evidence of a hardware problem on the machine. The next
    puppet run succeeds; the problem happens once every few days. Anyone
    have pointers on how to troubleshoot this or ideas on what the issue
    could be?
    This error is probably referring to the message authentication code
    [1], not the media access control address [2].

    How is your puppet master configured? Have any recent software
    updates changed the OpenSSL libraries on your systems?

    [1] http://en.wikipedia.org/wiki/Message_authentication_code
    [2] http://en.wikipedia.org/wiki/MAC_address

    -Jeff

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Maillists0 at Jun 11, 2012 at 7:59 pm
    :
    I inherited an old installation (0.24) that's been trouble-free until
    recently, when I started getting these error messages from a single
    machine:

    Failed to retrieve current state of resource: Certificates were not
    trusted: SSL_read:: decryption failed or bad record mac Could not
    describe /tomcat/ROOT.xml: Certificates were not trusted: SSL_read::
    decryption failed or bad record mac
    --snip--
    This error is probably referring to the message authentication code
    [1], not the media access control address [2].

    How is your puppet master configured?  Have any recent software
    updates changed the OpenSSL libraries on your systems?

    [1] http://en.wikipedia.org/wiki/Message_authentication_code
    [2] http://en.wikipedia.org/wiki/MAC_address

    -Jeff
    Thanks for that. I did not know about the Message Authentication Code,
    which makes sense in this case.

    Nothing has changed on these machines for years and I just verified
    that nothing has recently been updated. I'm still digging around the
    logs, nothing jumps out yet.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jeff McCune at Jun 11, 2012 at 8:50 pm
    It could be your CA certificate has expired. Could you paste the output of openssl x509 -text -noout -in /etc/puppet/ssl/ca.pem ?

    --
    Jeff McCune

    On Monday, June 11, 2012 at 12:59 PM, maillists0@gmail.com wrote:

    :
    I inherited an old installation (0.24) that's been trouble-free until
    recently, when I started getting these error messages from a single
    machine:

    Failed to retrieve current state of resource: Certificates were not
    trusted: SSL_read:: decryption failed or bad record mac Could not
    describe /tomcat/ROOT.xml: Certificates were not trusted: SSL_read::
    decryption failed or bad record mac
    --snip--
    This error is probably referring to the message authentication code
    [1], not the media access control address [2].

    How is your puppet master configured? Have any recent software
    updates changed the OpenSSL libraries on your systems?

    [1] http://en.wikipedia.org/wiki/Message_authentication_code
    [2] http://en.wikipedia.org/wiki/MAC_address

    -Jeff
    Thanks for that. I did not know about the Message Authentication Code,
    which makes sense in this case.

    Nothing has changed on these machines for years and I just verified
    that nothing has recently been updated. I'm still digging around the
    logs, nothing jumps out yet.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Maillists0 at Jun 11, 2012 at 9:10 pm

    On Mon, Jun 11, 2012 at 4:50 PM, Jeff McCune wrote:
    It could be your CA certificate has expired. Could you paste the output of
    openssl x509 -text -noout -in /etc/puppet/ssl/ca.pem ?

    --
    Thanks, Jeff.

    Since this is a work cert I'm not gonna post the whole thing, but I
    think this is the part we're looking for, correct? If not, I'll
    sanitize and post it.

    Validity
    Not Before: Dec 27 21:38:24 2009 GMT
    Not After : Dec 26 21:38:24 2014 GMT

    It looks like it doesn't expire until 2014.

    I don't understand what would cause this to happen only occasionally
    and on one machine. Wouldn't you expect to see it consistently and
    across all machines if the cert had expired?

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jeff McCune at Jun 11, 2012 at 9:16 pm

    On Mon, Jun 11, 2012 at 2:10 PM, wrote:
    On Mon, Jun 11, 2012 at 4:50 PM, Jeff McCune wrote:
    It could be your CA certificate has expired. Could you paste the output of
    openssl x509 -text -noout -in /etc/puppet/ssl/ca.pem ?

    --
    Thanks, Jeff.

    Since this is a work cert I'm not gonna post the whole thing, but I
    think this is the part we're looking for, correct? If not, I'll
    sanitize and post it.

    Validity
    Not Before: Dec 27 21:38:24 2009 GMT
    Not After : Dec 26 21:38:24 2014 GMT

    It looks like it doesn't expire until 2014.

    I don't understand what would cause this to happen only occasionally
    and on one machine. Wouldn't you expect to see it consistently and
    across all machines if the cert had expired?
    Ah, yes. I'm not sure what the issue is then.

    Perhaps just re-issue the certificate for that one machine and see if
    that fixes the problem?

    -Jeff

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJun 11, '12 at 6:34p
activeJun 11, '12 at 9:16p
posts6
users2
websitepuppetlabs.com

2 users in discussion

Jeff McCune: 3 posts Maillists0: 3 posts

People

Translate

site design / logo © 2022 Grokbase