Issue #3169 has been updated by Markus Roberts. Assigned to changed from Markus Roberts to Nick Lewis
---------------------------------------- Feature #3169: Add more debugging to SSL Cert verification http://projects.puppetlabs.com/issues/3169 Author: Nicholas Veeser Status: Accepted Priority: Normal Assigned to: Nick Lewis Category: SSL Target version: 2.6 Affected version: 0.25.3 Keywords: Branch: I spent several days on this. OpenSSL is not very informative when the certificate verification fails during SSL negotiation The error I was getting back was: err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed To understand what was really happening I dug around and ended up adding the following in puppet/network/http_pool.rb: <pre> Puppet::Network::HttpPool ... def self.cert_setup(http) # Just no-op if we don't have certs. return false unless FileTest.exist?(Puppet[:hostcert]) and FileTest.exist?(Puppet[:localcacert]) http.cert_store = ssl_host.ssl_store http.ca_file = Puppet[:localcacert] http.cert = ssl_host.certificate.content http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.key = ssl_host.key.content + if Puppet[:debug] + http.verify_callback = self.method(:ssl_verify_callback).to_proc + end + end + + def self.ssl_verify_callback(peer_ok, x509_store_ctx) + if not peer_ok + Puppet.debug "OpenSSL: Error(#{x509_store_ctx.error}): #{x509_store_ctx.error_string}" + Puppet.debug "OpenSSL: Cert: #{x509_store_ctx.current_cert.issuer}" + Puppet.debug "OpenSSL: Current CRL: #{x509_store_ctx.current_crl}" + Puppet.debug "OpenSSL: Chain:" + x509_store_ctx.chain.each_index { |i| Puppet.debug "OpenSSL: \t#{i} #{x509_store_ctx.chain[i].issuer}" } + end + peer_ok end </pre> This gave more more detailed information (ie the CRL was missing) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
