Authentication between Puppet Server and PuppetDB fails with "dh key too small"
After puppet.lizard
was upgraded to Bullseye, the Puppet Server
$ sudo openssl s_client -connect 127.0.0.1:8081 -CAfile /var/lib/puppet/ssl/ca/ca_crt.pem -cert /var/lib/puppet/ssl/certs/puppet.lizard.pem -key /var/lib/puppet/ssl/private_keys/puppet.lizard.pem -state -quiet -servername puppet.lizard
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=1 CN = Puppet CA: puppet.lizard
verify return:1
depth=0 CN = puppet.lizard
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL3 alert write:fatal:handshake failure
SSL_connect:error in error
140300404249920:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2157:
After setting CipherString = DEFAULT@SECLEVEL=1
in /etc/ssl/openssl.cnf
, authentication succeeds:
$ sudo openssl s_client -connect 127.0.0.1:8081 -CAfile /var/lib/puppet/ssl/ca/ca_crt.pem -cert /var/lib/puppet/ssl/certs/puppet.lizard.pem -key /var/lib/puppet/ssl/private_keys/puppet.lizard.pem -state -quiet -servername puppet.lizard < /dev/null
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=1 CN = Puppet CA: puppet.lizard
verify return:1
depth=0 CN = puppet.lizard
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write certificate verify
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
References:
Edited by Zen Fu