Could not connect via HTTPS to https://forgeapi.puppetlabs.com when downloading a module
1,670 views
Skip to first unread message
triceras
Jul 1, 2014, 8:58:39 PM7/1/14
to puppet...@googlegroups.com
Hi All,
Has anyone ever experienced any ssl certificate problems when trying to download a puppet module form https://forgeapi.puppetlabs.com ?
[root@hx689 httpd]# puppet module search sshNotice: Searching https://forgeapi.puppetlabs.com ...Error: Could not connect via HTTPS to https://forgeapi.puppetlabs.comUnable to verify the SSL certificateThe certificate may not be signed by a valid CAThe CA bundle included with OpenSSL may not be valid or up to dateError: Try 'puppet help module search' for usage
I have installed Puppet open source version 3.6.2 on RHEL 6.5. When I tried to curl the URL I am getting the following:
[root@hx689 httpd]# curl https://forgeapi.puppetlabs.comcurl: (60) Peer certificate cannot be authenticated with known CA certificatesMore details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle"of Certificate Authority (CA) public keys (CA certs). If the defaultbundle file isn't adequate, you can specify an alternate fileusing the --cacert option.If this HTTPS server uses a certificate signed by a CA represented inthe bundle, the certificate verification probably failed due to aproblem with the certificate (it might be expired, or the name mightnot match the domain name in the URL).If you'd like to turn off curl's verification of the certificate, usethe -k (or --insecure) option.
Any help is really appreciate.
Best Regards,
Rafael
RITU JAIN
Aug 19, 2014, 2:20:15 PM8/19/14
to puppet...@googlegroups.com
Hi Rafael,
Did you find answer to this question? I am facing the same issue.
Regards,
Ritu
Christopher Wood
Aug 19, 2014, 2:46:03 PM8/19/14
to puppet...@googlegroups.com
Both of you may need the ca-certificates rpm. When I unpack this I can verify the cert on the other end:
$ pwd
/tmp/zz
$ rpm2cpio ~/files/downloads/ca-certificates-2013.1.94-65.0.el6.noarch.rpm | cpio -id
Then this gives me "Verify return code: 0 (ok)" (faking the directory since it's a Debian host):
openssl s_client -CApath /tmp/zz/etc/pki/tls/certs -showcerts -connect forgeapi.puppetlabs.com:443
Then when you install the ca-certificates rpm you would:
openssl s_client -CApath /etc/pki/tls/certs -showcerts -connect forgeapi.puppetlabs.com:443
I'm testing this on a Debian host hence no ca-certificates rpm available the usual way.
If that doesn't work also check your server time, ssl issues are often symptoms of unsync'ed clocks.
On Tue, Aug 19, 2014 at 11:20:15AM -0700, RITU JAIN wrote:
> Hi Rafael,
> Did you find answer to this question? I am facing the same issue.
> Regards,
> Ritu
>
> On Tuesday, July 1, 2014 8:58:39 PM UTC-4, triceras wrote:
>
> Hi All,
> Has anyone ever experienced any ssl certificate problems when trying
> to download a puppet module form [1]https://forgeapi.puppetlabs.com ?
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [6]puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> [7]https://groups.google.com/d/msgid/puppet-users/32dae128-856a-4316-b3cd-e944ed4faa38%40googlegroups.com.
> For more options, visit [8]https://groups.google.com/d/optout.
>
> References
>
> Visible links
> 1. https://forgeapi.puppetlabs.com/
> 2. https://forgeapi.puppetlabs.com/
> 3. https://forgeapi.puppetlabs.com/
> 4. https://forgeapi.puppetlabs.com/
> 5. http://curl.haxx.se/docs/sslcerts.html
> 6. mailto:puppet-users...@googlegroups.com
> 7. https://groups.google.com/d/msgid/puppet-users/32dae128-856a-4316-b3cd-e944ed4faa38%40googlegroups.com?utm_medium=email&utm_source=footer
> 8. https://groups.google.com/d/optout
$ pwd
/tmp/zz
$ rpm2cpio ~/files/downloads/ca-certificates-2013.1.94-65.0.el6.noarch.rpm | cpio -id
Then this gives me "Verify return code: 0 (ok)" (faking the directory since it's a Debian host):
openssl s_client -CApath /tmp/zz/etc/pki/tls/certs -showcerts -connect forgeapi.puppetlabs.com:443
Then when you install the ca-certificates rpm you would:
openssl s_client -CApath /etc/pki/tls/certs -showcerts -connect forgeapi.puppetlabs.com:443
I'm testing this on a Debian host hence no ca-certificates rpm available the usual way.
If that doesn't work also check your server time, ssl issues are often symptoms of unsync'ed clocks.
On Tue, Aug 19, 2014 at 11:20:15AM -0700, RITU JAIN wrote:
> Hi Rafael,
> Did you find answer to this question? I am facing the same issue.
> Regards,
> Ritu
>
> On Tuesday, July 1, 2014 8:58:39 PM UTC-4, triceras wrote:
>
> Hi All,
> Has anyone ever experienced any ssl certificate problems when trying
>
> [root@hx689 httpd]# puppet module search ssh
> Notice: Searching [2]https://forgeapi.puppetlabs.com ...
> [root@hx689 httpd]# puppet module search ssh
> Error: Could not connect via HTTPS to
> [3]https://forgeapi.puppetlabs.com
> Unable to verify the SSL certificate
> The certificate may not be signed by a valid CA
> The CA bundle included with OpenSSL may not be valid or up to date
> Error: Try 'puppet help module search' for usage
>
> I have installed Puppet open source version 3.6.2 on RHEL 6.5. When I
> tried to curl the URL I am getting the following:
>
>
> [root@hx689 httpd]# curl [4]https://forgeapi.puppetlabs.com
> The certificate may not be signed by a valid CA
> The CA bundle included with OpenSSL may not be valid or up to date
> Error: Try 'puppet help module search' for usage
>
> I have installed Puppet open source version 3.6.2 on RHEL 6.5. When I
> tried to curl the URL I am getting the following:
>
>
> curl: (60) Peer certificate cannot be authenticated with known CA
> certificates
> More details here: [5]http://curl.haxx.se/docs/sslcerts.html
> certificates
> curl performs SSL certificate verification by default, using a
> "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
> Any help is really appreciate.
> Best Regards,
> Rafael
>
> --
> "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
> Any help is really appreciate.
> Best Regards,
> Rafael
>
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [6]puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> [7]https://groups.google.com/d/msgid/puppet-users/32dae128-856a-4316-b3cd-e944ed4faa38%40googlegroups.com.
> For more options, visit [8]https://groups.google.com/d/optout.
>
> References
>
> Visible links
> 1. https://forgeapi.puppetlabs.com/
> 2. https://forgeapi.puppetlabs.com/
> 3. https://forgeapi.puppetlabs.com/
> 4. https://forgeapi.puppetlabs.com/
> 5. http://curl.haxx.se/docs/sslcerts.html
> 6. mailto:puppet-users...@googlegroups.com
> 7. https://groups.google.com/d/msgid/puppet-users/32dae128-856a-4316-b3cd-e944ed4faa38%40googlegroups.com?utm_medium=email&utm_source=footer
> 8. https://groups.google.com/d/optout
Reply all
Reply to author
Forward
0 new messages