How to solve the CA bundle included with OpenSSL may not be valid or up to date issue while trying to install a Puppet module

certificateopensslpuppet

Trying to fetch a module, I have the following output

Notice: Preparing to install into /usr/local/etc/puppet/modules ...
Notice: Downloading from https://forgeapi.puppetlabs.com ...
Error: Could not connect via HTTPS to https://forgeapi.puppetlabs.com
  Unable to verify the SSL certificate
    The certificate may not be signed by a valid CA
    The CA bundle included with OpenSSL may not be valid or up to date

But my /etc/ssl/cert.pem is linked correctly, and the package ca_root_nss-3.16.3 is up to date. Is there any information I can get from Puppet about how to proceed with diagnosing this? Maybe it's looking in the wrong location?

Best Answer

I suppose I should be explicit about my solution. Following Felix Frank's advice to use strace (ktrace in FreeBSD), I performed

ktrace -d puppet module install puppetlabs/apache

the -d flag just being there in case child processes were involved. Then, to recover the trace in a human readable format,

kdump | less

which revealed among other things the following bit

 84579 ruby19   CALL  open(0x804453968,0,0x1b6)
 84579 ruby19   NAMI  "/usr/local/openssl/cert.pem"
 84579 ruby19   RET   open -1 errno 2 No such file or directory

It isn't clear to me yet whether my system is just incorrectly configured, and that cert.pem was supposed to be there; or whether some other issue is at play. Either way, it fixed the immediate problem of not being able to install the module.

Related Solutions

SSL Error: self signed certificate in certificate chain

You don't need the root certificate in the chain (though I don't believe having it hurts anything).

That error is more of a warning from openssl in this case I think. I believe what it means is just that openssl doesn't know that it should trust the root certificate of that chain. If you pull out just the root certificate from that bundle and point that openssl command at it with the -CAfile argument I expect that "error" should go away.

Inside the sf_bundle.crt file you should see two

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

blocks (possibly with plain text above each block showing what certificate the block contains). If you split each of those blocks into its own file so you end up with block1.crt and block2.crt you should be able to run openssl x509 -noout -subject -in <file.crt> on each of them to get their respective certificate subject lines.

Assuming that block2.crt has a subject line of /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority you should then be able to run openssl s_client -CAfile block2.crt -connect imap.domain.ltd:465 and that should, hopefully, connect without giving you the self-signed certificate error.

Ssl – Openssl error 19: “Self signed certificate in certificate chain” when keyed by GoDaddy

If whynopadlock.com and ssltest.net complain about the certificate while ssllabs.com say that things are fine, check your virtual hosts configuration. SSLLabs.com supports SNI while whynopadlock.com, ssltest.net and older versions of IE do not.

When SNI is not supported by the client, no server name will be available to the webserver which will then fallback to the first matching virtualhost. Perhaps you have another virtualhost for testing purposes that takes precedence over your main website.

The solution is to change this order or use a dedicated IP address for this host.

Best Answer

Related Solutions

SSL Error: self signed certificate in certificate chain

Ssl – Openssl error 19: “Self signed certificate in certificate chain” when keyed by GoDaddy

Related Topic