Found out the error. Both the master and client were showing the same time. But they happened to be on different time zones. AHH!
On Dec 8, 1:19 pm, Kikanny <[email protected]> wrote: > Hi Nan > > Thanks for your response. I tried that. But it says that everything is > okay. I get "verify return 1" instead of saying why there is a > verification error.... > > On Dec 8, 10:54 am, Nan Liu <[email protected]> wrote: > > > On Wed, Dec 8, 2010 at 6:20 AM, Kikanny <[email protected]> wrote: > > > So there is something wrong with the date of the certificate. When I > > > do "openssl x509 -text -in -noout /etc/puppet/ssl/certs/client.pem | > > > grep -A2 Validity", I get: > > > > Validity > > > Not Before: Dec 7 14:08:10 2010 GMT > > > Not After : Dec 6 14:08:10 2015 GMT > > > > However, the current date of the client is Dec 8 which is well within > > > the valid range. The date is also the same as master server. But when > > > I change the date of the client to Dec 9, everything works fine and I > > > don't get that certificate verify failed error anymore. This is > > > baffling! Any idea how to fix this? Thanks! > > > Let's use openssl to debug this and see if we can get a better error > > message indicating why the cert is rejected. In the command below > > replace the certs and ca to the appropriate path on your system: > > > openssl s_client -host puppet -port 8140 -cert > > /var/lib/puppet/ssl/certs/puppet.training.pem -key > > /var/lib/puppet/ssl/private_keys/puppet.training.pem -CAfile > > /var/lib/puppet/ssl/certs/ca.pem > > > A successful connection: > > CONNECTED(00000003) > > depth=1 /CN=puppet.training > > verify return:1 > > depth=0 /CN=puppet.training > > verify return:1 > > ... > > > Here, I intentionally set the system time to 2009 and the error > > message show why the cert was rejected. > > CONNECTED(00000003) > > depth=1 /CN=puppet.training > > verify error:num=9:certificate is not yet valid > > notBefore=Sep 20 08:01:21 2010 GMT > > verify return:0 > > > Hope this helps. Thanks, > > > Nan > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
