Thanks. I just checked, and `apt-get update` is now working again as expected.
-Chris On Monday, 24 March 2014 23:06:01 UTC+1, Eric Sorenson wrote: > > I think this is fixed now; I used openssl s_client and whereas it used to > have: > > --- > Certificate chain > 0 > s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet > > Labs, Inc./CN=*.puppetlabs.com > i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA > 1 > s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet > > Labs, Inc./CN=*.puppetlabs.com > i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA > 2 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > > It now says > > > Certificate chain > 0 > s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet > > Labs, Inc./CN=*.puppetlabs.com > i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA > 1 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > > On Monday, March 24, 2014 11:50:16 AM UTC-7, Eric Sorenson wrote: >> >> Thanks for pointing this out, I've raised an internal ticket with the >> operations team and will update this thread when I hear back. >> >> --eric0 >> >> On Monday, March 24, 2014 7:10:09 AM UTC-7, Christopher Orr wrote: >>> >>> Hi all, >>> >>> I just noticed that some of my servers are having trouble while running >>> `apt-get update`, apparently due to TLS issues with apt.puppetlabs.com. >>> >>> `apt-get update` returns: >>> W: Failed to fetch >>> https://apt.puppetlabs.com/dists/lucid/main/source/Sources.gz server >>> certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt >>> CRLfile: none >>> >>> However, I can access https://apt.puppetlabs.com fine via curl or >>> Chrome, and the relevant root certificate is indeed in >>> /etc/ssl/certs/ca-certificates.crt. >>> But on closer inspection, it seems that the certificate chain returned >>> when connecting to apt.puppetlabs.com contains two copies of the *. >>> puppetlabs.com certificate as the first two links in the chain. >>> >>> I imagine it's possible that certain clients reject this as invalid. >>> Has anybody else noticed this behaviour? >>> >>> In the meantime, I see that newer "puppetlabs-release-*.deb" packages >>> use http://apt.puppetlabs.com (i.e. no https://), so I guess I have >>> some apt-sources updating to do... >>> >>> Regards, >>> Chris >>> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0a0fc08c-98e3-4753-9fb1-36ee5187c768%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
