Bug #15448
closed
OpenSSL Error: SSLv3 read client certificate A
Description
Ubuntu 14.04
Foreman 1.11.2-1 (installed from package)
Bug probably related to Foreman Remote execution.
The execution of a job failed (the job stay as "running 0%"), and since the /var/log/foreman-proxy.log is filled with this error :
E, [2016-06-16T19:57:35.447710 #17843] ERROR -- : OpenSSL::SSL::SSLError: SSL_accept SYSCALL returned=5 errno=0 state=SSLv3 read client certificate A
/usr/lib/ruby/1.9.1/openssl/ssl-internal.rb:172:in `accept'
E, [2016-06-16T19:57:37.133534 #17843] ERROR -- : could not read client cert from environment
E, [2016-06-16T19:57:46.995776 #17843] ERROR -- : OpenSSL::SSL::SSLError: SSL_accept SYSCALL returned=5 errno=0 state=unknown state
/usr/lib/ruby/1.9.1/openssl/ssl-internal.rb:172:in `accept'
Is it normal that ruby 1.9.1 is used here and not 2.0 ?
Updated by Dominic Cleal almost 8 years ago
- Subject changed from OpenSSL Error to OpenSSL Error: SSLv3 read client certificate A
- Category set to SSL
My only guess is that there's no client SSL certificate being used, which should be configured in Foreman under Settings > Auth > ssl_*, assuming it's Foreman making the request. I can't see enough info here to suggest it's a bug in the smart proxy.
Is it normal that ruby 1.9.1 is used here and not 2.0 ?
Yes, 1.9.1 is the default Ruby version on Ubuntu 14.04, it's correct.
Updated by Jérôme LEBEAU almost 8 years ago
I was thinking that foreman use ruby 2.0, with foreman-ruby on 14.04 ?
In Settings > Auth > ssl_*, everuthing is configured. this error seems to be trigger by launching a job.
I also find that this is an error that is known in ruby 1.9, and is trigger by the lake of support of TLS 1.2 in OpenSSL :
http://stackoverflow.com/questions/25814210/opensslsslsslerror-ssl-connect-syscall-returned-5-errno-0-state-sslv3-read
http://stackoverflow.com/questions/33572956/ruby-ssl-connect-syscall-returned-5-errno-0-state-unknown-state-opensslssl
Updated by Dominic Cleal almost 8 years ago
Jérôme LEBEAU wrote:
I was thinking that foreman use ruby 2.0, with foreman-ruby on 14.04 ?
Foreman does, while the smart proxy uses the default.
Updated by Anonymous almost 8 years ago
Smart-proxy supports TLSv1.1; at a quick glance foreman doesn't limit ssl connections to TLSv1.2 only either. Could you enable debug logging and paste everything pertaining to a failing request here please?
Updated by Marek Hulán almost 8 years ago
- Related to Bug #15459: Job is executed, but stay as "Pending" added
Updated by Anonymous about 7 years ago
- Status changed from New to Resolved
No reaction, closing. Also, in the meanwhile the proxy uses Ruby 2.0 on Ubuntu/trusty.