Broken certificate chain on apt.puppetlabs.com?

153 views
Skip to first unread message

Christopher Orr

unread,
Mar 24, 2014, 10:10:09 AM3/24/14
to puppet...@googlegroups.com
Hi all,

I just noticed that some of my servers are having trouble while running `apt-get update`, apparently due to TLS issues with apt.puppetlabs.com.

`apt-get update` returns:
W: Failed to fetch https://apt.puppetlabs.com/dists/lucid/main/source/Sources.gz  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

However, I can access https://apt.puppetlabs.com fine via curl or Chrome, and the relevant root certificate is indeed in /etc/ssl/certs/ca-certificates.crt.
But on closer inspection, it seems that the certificate chain returned when connecting to apt.puppetlabs.com contains two copies of the *.puppetlabs.com certificate as the first two links in the chain.

I imagine it's possible that certain clients reject this as invalid.
Has anybody else noticed this behaviour?

In the meantime, I see that newer "puppetlabs-release-*.deb" packages use http://apt.puppetlabs.com (i.e. no https://), so I guess I have some apt-sources updating to do...

Regards,
Chris

Eric Sorenson

unread,
Mar 24, 2014, 2:50:16 PM3/24/14
to puppet...@googlegroups.com
Thanks for pointing this out, I've raised an internal ticket with the operations team and will update this thread when I hear back.

--eric0

Eric Sorenson

unread,
Mar 24, 2014, 6:06:01 PM3/24/14
to puppet...@googlegroups.com
I think this is fixed now; I used openssl s_client and whereas it used to have:

---
Certificate chain
 0 s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet Labs, Inc./CN=*.puppetlabs.com
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
 1 s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet Labs, Inc./CN=*.puppetlabs.com
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
 2 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

It now says 


Certificate chain
 0 s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet Labs, Inc./CN=*.puppetlabs.com
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

Christopher Orr

unread,
Mar 25, 2014, 7:15:32 PM3/25/14
to puppet...@googlegroups.com
Thanks.  I just checked, and `apt-get update` is now working again as expected.

-Chris
Reply all
Reply to author
Forward
0 new messages