Both of you may need the ca-certificates rpm. When I unpack this I can verify the cert on the other end:
$ pwd /tmp/zz $ rpm2cpio ~/files/downloads/ca-certificates-2013.1.94-65.0.el6.noarch.rpm | cpio -id Then this gives me "Verify return code: 0 (ok)" (faking the directory since it's a Debian host): openssl s_client -CApath /tmp/zz/etc/pki/tls/certs -showcerts -connect forgeapi.puppetlabs.com:443 Then when you install the ca-certificates rpm you would: openssl s_client -CApath /etc/pki/tls/certs -showcerts -connect forgeapi.puppetlabs.com:443 I'm testing this on a Debian host hence no ca-certificates rpm available the usual way. If that doesn't work also check your server time, ssl issues are often symptoms of unsync'ed clocks. On Tue, Aug 19, 2014 at 11:20:15AM -0700, RITU JAIN wrote: > Hi Rafael, > Did you find answer to this question? I am facing the same issue. > Regards, > Ritu > > On Tuesday, July 1, 2014 8:58:39 PM UTC-4, triceras wrote: > > Hi All, > Has anyone ever experienced any ssl certificate problems when trying > to download a puppet module form [1]https://forgeapi.puppetlabs.com ? > > [root@hx689 httpd]# puppet module search ssh > Notice: Searching [2]https://forgeapi.puppetlabs.com ... > Error: Could not connect via HTTPS to > [3]https://forgeapi.puppetlabs.com > Unable to verify the SSL certificate > The certificate may not be signed by a valid CA > The CA bundle included with OpenSSL may not be valid or up to date > Error: Try 'puppet help module search' for usage > > I have installed Puppet open source version 3.6.2 on RHEL 6.5. When I > tried to curl the URL I am getting the following: > > > [root@hx689 httpd]# curl [4]https://forgeapi.puppetlabs.com > curl: (60) Peer certificate cannot be authenticated with known CA > certificates > More details here: [5]http://curl.haxx.se/docs/sslcerts.html > curl performs SSL certificate verification by default, using a > "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. > > Any help is really appreciate. > Best Regards, > Rafael > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [6][email protected]. > To view this discussion on the web visit > > [7]https://groups.google.com/d/msgid/puppet-users/32dae128-856a-4316-b3cd-e944ed4faa38%40googlegroups.com. > For more options, visit [8]https://groups.google.com/d/optout. > > References > > Visible links > 1. https://forgeapi.puppetlabs.com/ > 2. https://forgeapi.puppetlabs.com/ > 3. https://forgeapi.puppetlabs.com/ > 4. https://forgeapi.puppetlabs.com/ > 5. http://curl.haxx.se/docs/sslcerts.html > 6. mailto:[email protected] > 7. > https://groups.google.com/d/msgid/puppet-users/32dae128-856a-4316-b3cd-e944ed4faa38%40googlegroups.com?utm_medium=email&utm_source=footer > 8. https://groups.google.com/d/optout -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20140819184539.GA12171%40iniquitous.heresiarch.ca. For more options, visit https://groups.google.com/d/optout.
