HTTPS download broken again on windows

[KZachariassen]

Hi,

I try to use archive to download Consul from: https://releases.hashicorp.com/consul/0.9.0/consul_0.9.0_windows_amd64.zip

But it fails with

Error: Could not set 'present' on ensure: SSL_connect returned=1 errno=0 state=e
rror: certificate verify failed at 50:/etc/puppetlabs/code/consul
/manifests/install.pp

I can find an old issue on this, but it was fixed.
Im using windows 2016

[KZachariassen]

Adding allow_insecure: true works, but it's not a pretty solution.

[ElvenSpellmaker]

I'm getting this on using http which is even more odd...

source => "http://download.oracle.com/otn-pub/java/jce/8/${jce_filename}",

Error: Could not set 'present' on ensure: SSL_connect returned=1 errno=0 state=S
SLv3 read server certificate B: certificate verify failed at 46:/etc/puppet/modu
les/profile/manifests/configurations/java/jce.pp
Error: Could not set 'present' on ensure: SSL_connect returned=1 errno=0 state=S
SLv3 read server certificate B: certificate verify failed at 46:/etc/puppet/modu
les/profile/manifests/configurations/java/jce.pp
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificat
e verify failed
Error: /Stage[main]/Profile::Configurations::Java::Jce/Archive[C:\Temp\jce_polic
y-8.zip]/ensure: change from absent to present failed: Could not set 'present' o
n ensure: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed at 46:/etc/puppet/modules/profile/manifests/configurat
ions/java/jce.pp

Works fine on Linux, it's just Windows that's complaining.

[nanliu]

probably due to the age of the cacert.pem used to gloss over an old issue for windows. someone should spend some time to see if this no longer needed.

in the mean time a newer cacert.pem file is likely to fix this: https://curl.haxx.se/docs/caextract.html

[ElvenSpellmaker]

@nanilu How would this affect an http link though? It shouldn't be using certs for http?

[nanliu]

@ElvenSpellmaker probably due to redirect to https.

[ElvenSpellmaker]

@nanilu You're indeed correct, weirdly if you use their link as https it doesn't work. So it seems Oracle has the redirect as http only but it redirects to an https download link.

Weird, but fair enough.

$ curl http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip -I
HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: https://edelivery.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip
Date: Wed, 02 Aug 2017 06:30:07 GMT
Connection: keep-alive

[ElvenSpellmaker]

In my case @nanliu's PR doesn't seem to fix it, shame.

[hprasad068]

i'm not sure if this was fixed. Windows seem to throw this error for the latest puppet archive module version

Error: Could not set 'present' on ensure: SSL_connect returned=1 errno=0 state=error: certificate verify failed at 83:C:
/ProgramData/PuppetLabs/code/environments/masterless/modules/archive/manifests/nexus.pp
Error: Could not set 'present' on ensure: SSL_connect returned=1 errno=0 state=error: certificate verify failed at 83:C:
/ProgramData/PuppetLabs/code/environments/masterless/modules/archive/manifests/nexus.pp
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed

[ElvenSpellmaker]

I never found a fix for it unfortunately and had to allow_insecure for Windows machines. =|

[TraGicCode]

@hprasad068 Please provide the code you are using so i can debug this?

@ElvenSpellmaker Can you provide a new url where you had to use allow_insecure. I can debug this as well.

[hprasad068]

@TraGicCode below is the puppet snippet that fetches the zip file from Nexus Repository

{
archive::nexus{ "${temp_directory}\${archive_name}.zip":
url => $nexus,
gav => 'XXX:Binaries:1.7.0',
repository => 'Dev',
packaging => 'zip',
extract => false,
#allow_insecure => true,
}->

I'm had the similar issue in Linux as well but that got resolved when i used a environment variable SSL_CERT_FILE with cacert.pem. We are not sure on what needs to be changed in windows or where the cacert.pem needs to be put. we tried with the latest cacert.pem under \lib\puppet_x\bodeco but the error still appears for windows.

[TraGicCode]

So there are 2 options

1.) set the same environment variable one windows. You can put the cacertpem wherever I want.

2.) the cacert.pem that is vendored with this module probably just needs updating since it’s 8 months old. I can create a branch in a fork with the latest pem and if it works for you I can create a pr for it to get merged in and cut a new release. Using this approach you don’t have to worry about setting the ssl_cert_file envy variable and the module will use the vendored one when the env variable isnt configured

[hprasad068]

@TraGicCode i tried both the options last week and it didn't resolve it. That's probably the reason i wanted to make sure if it worked for others.

This is what we did
1)We took the latest cacert.pem from https://curl.haxx.se/ca/cacert.pem and created environment variable SSL_CERT_FILE and did a puppet apply==> still same error
2)Copied the latest cacert.pem from https://curl.haxx.se/ca/cacert.pem to \lib\puppet_x\bodeco and did puppet apply.==> still same error

[TraGicCode]

Can you do a puppet run with a --debug and paste the output here?

[TraGicCode]

I also noticed you said apply. Are u running in master agent mode or masterless?

[hprasad068]

@TraGicCode We are running in masterless mode.

The error message i gave in my initial request was taken from debug mode only. There were lot of other messages other than that which i don't think we'll able to put in here due to the size . do we have look into anything specifically..?

[ElvenSpellmaker]

It's the same url as shown above, an extract of our jce profile is below:

  archive { $archive_path:
    ensure          => present,
    allow_insecure  => $allow_insecure,
    extract         => true,
    source          => "http://download.oracle.com/otn-pub/java/jce/8/${jce_filename}",
    cookie          => 'oraclelicense=accept-securebackup-cookie',
    extract_path    => $security_dir,
    extract_command => $extract_command,
    creates         => "${security_dir}/README.txt",
    cleanup         => true,
    user            => 'root',
    group           => 'root',
  }

Where the filename is $jce_filename = 'jce_policy-8.zip'

This works fine on Linux but not on Windows. The cookie is needed else you'll be redirected elsewhere.
As far as I can tell the http link redirects to an https link which in turn redirects to another http link. (Isn't it bad that oracle are serving files via http and no sha hashes either, for a crypto package that's really poor.)

[TraGicCode]

Hey @ElvenSpellmaker This worked perfect for me. Am i missing something?

 archive { 'c:\test\jce_policy-8.zip':
    ensure          => present,
    allow_insecure  => false,
    extract         => true,
    source          => "http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip",
    cookie          => 'oraclelicense=accept-securebackup-cookie',
    extract_path    => 'C:\\test-extract',
   #  extract_command => $extract_command,
    creates         => "C:\\test-extract\\UnlimitedJCEPolicyJDK8\\README.txt",
    cleanup         => true,
   # user            => 'root',
   # group           => 'root',
  }

[TraGicCode]

@hprasad068 Are you able to paste your puppet snippet?

[TraGicCode]

@ElvenSpellmaker @hprasad068 Just let me know if this issue is resolved so i can close this. Thanks!

[TraGicCode]

Closing this for now for lack of response and being unable to reproduce.