Issue #3770 has been updated by Dustin Mitchell.
There's a good bit of context missing in this bug report. One problem is that the OpenSSL error code isn't returned -- "certificate verify failed" usually comes with a code. I'll submit a patch on another bug to fix that, as it's within my nascent Ruby skills. I suspect that the problem here is either that the server wasn't configured to send the intermediate certificates (to my knowledge, the WebBRICK server can't do this; Apache can, but needs some config); or the client was trying to verify CRLs, which puppet agent (still) doesn't support (Bug #14550). However, I see a related issue here in Bug #3640. By disabling CRLs on the client, this can be made to work. ---------------------------------------- Bug #3770: Puppet SSL verfication is broken with multiple chained certificates https://projects.puppetlabs.com/issues/3770#change-63125 Author: Ohad Levy Status: Accepted Priority: Normal Assignee: Category: SSL Target version: 3.X Affected Puppet version: Keywords: Branch: Hi, it seems that 0.25.x SSL is broken when using a chained CA. I'm attaching a simple script (and output) showing that using simple net/https works, while using puppet internally does not. it doesn't seems to be related to the SSL initialization itself, rather to something else h2. example script <pre> require 'net/https' require 'puppet/network/http_pool' args = ["puppet", 8140] header = { "Accept" => "pson" } url = "/development/file_content/facts/somefact.rb" http = Puppet::Network::HttpPool.http_instance(*args) http.verify_mode = OpenSSL::SSL::VERIFY_PEER begin puts http.get url, header rescue warn $! end Puppet[:config] = "/etc/puppet/puppet.conf" Puppet.parse_config http = Net::HTTP.new(*args) http.use_ssl = true http.cert_store = OpenSSL::X509::Store.new http.key = OpenSSL::PKey::RSA.new(File::read(Puppet[:hostprivkey])) http.cert = OpenSSL::X509::Certificate.new(File::read(Puppet[:hostcert])) http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.ca_file = Puppet[:localcacert] puts http.get url, header </pre> h2. output <pre> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed #<Net::HTTPOK:0xb75dc408> "#<Puppet::FileServing::Content:0xb714ffac>" </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
