I think this is fixed now; I used openssl s_client and whereas it used to have:
--- Certificate chain 0 s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet Labs, Inc./CN=*.puppetlabs.com i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 1 s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet Labs, Inc./CN=*.puppetlabs.com i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 2 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA It now says Certificate chain 0 s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet Labs, Inc./CN=*.puppetlabs.com i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA On Monday, March 24, 2014 11:50:16 AM UTC-7, Eric Sorenson wrote: > > Thanks for pointing this out, I've raised an internal ticket with the > operations team and will update this thread when I hear back. > > --eric0 > > On Monday, March 24, 2014 7:10:09 AM UTC-7, Christopher Orr wrote: >> >> Hi all, >> >> I just noticed that some of my servers are having trouble while running >> `apt-get update`, apparently due to TLS issues with apt.puppetlabs.com. >> >> `apt-get update` returns: >> W: Failed to fetch >> https://apt.puppetlabs.com/dists/lucid/main/source/Sources.gz server >> certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt >> CRLfile: none >> >> However, I can access https://apt.puppetlabs.com fine via curl or >> Chrome, and the relevant root certificate is indeed in >> /etc/ssl/certs/ca-certificates.crt. >> But on closer inspection, it seems that the certificate chain returned >> when connecting to apt.puppetlabs.com contains two copies of the *. >> puppetlabs.com certificate as the first two links in the chain. >> >> I imagine it's possible that certain clients reject this as invalid. >> Has anybody else noticed this behaviour? >> >> In the meantime, I see that newer "puppetlabs-release-*.deb" packages use >> http://apt.puppetlabs.com (i.e. no https://), so I guess I have some >> apt-sources updating to do... >> >> Regards, >> Chris >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6920890c-b114-4b19-9fbc-b15488fb41a0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
