Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

We just experienced a brief issue with the wrong SSL private key being used on the forge; this should have been resolved. Are you still having issues?

click to hide/show revision 2
Updates for installing the GeoTrust CA certificate.

We If you're seeing this error this probably means that your system CA certificate bundle is missing or out of date. The forge.puppetlabs.com certificate is signed by the GeoTrust CA, so that CA certificate has to be part of the system certificate bundle (/etc/ssl/certs on Debian based distributions, /etc/pki/tls/certs on Redhat based distributions).

If you're seeing this error, the first thing you should probably do is update your system certificate bundle.

Debian

Debian based distributions have an independent package that installs the default CA certificate bundle, called 'ca-certificates'. Running apt-get update; apt-get install ca-certificates should install the latest set of trusted CAs. The package splits up the CA certificates into individual files, so you can validate that the Geotrust certificate is installed by doing ls /etc/ssl/certs/GeoTrust*.

Redhat

Redhat based distributions ship the default CA certificate bundle in the 'openssl' package, so you will need to update all of OpenSSL to get the latest bundle. You can update this by running yum install openssl, but note that this will update all the openssl libraries as well, so be a bit cautious when doing this. On Redhat based distributions the CA bundle is within a single .pem file, so there's not a simple way of testing for the GeoTrust CA presence, although you can just experienced run puppet module install branan/eight_hundred or something like that to see if it's installed correctly.

OSX/RVM

There have been some reports of the certificate verify error happening with OSX 10.8 using with openssl from Xcode and using RVM for ruby. This goes back to the same error that the right CA certificates aren't installed or available. Uwe Kleinmann did a great job of tracking this down and solving it (http://kleinmann.org/2013/01/09/puppet-openssl-osx.html). Per the recommendations on his blog, you can solve this by running the following:

rvm pkg install openssl
rvm remove 1.9.3
rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr --with-gcc=clang

Installing the CA certificate yourself

All of the above methods have meant updating the entire CA bundle, but that can be a really heavyweight solution. Instead, you can download and install the CA certificate yourself. The GeoTrust website all of the GeoTrust certificates, but specifically you need the GeoTrust Global CA. You can install this by downloading that file, copying it into the system CA certificate bundle location, and ensuring that it's world-readable.

Verifying the CA certificate

If you want to ensure that you have the right CA certificate, you can run the following:

dre% curl -O https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1234  100  1234    0     0   2440      0 --:--:-- --:--:-- --:--:--  3116
dre% curl --cacert GeoTrust_Global_CA.pem https://forge.puppetlabs.com/ping
{"version":2}

The {"version":2} return is key, as seeing that means that the SSL cert was successfully validated and that you were able to pull down the correct content.

If you see something like this:

dre% curl --cacert GeoTrust_Global_CA.pem https://forge.puppetlabs.com/ping
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

This means that the wrong certificate might be installed on forge.puppetlabs.com (see below), or you might be a victim of a MITM attack.

The original post

When this question was originally posted, due to a hiccup (that I was responsible for) a self signed SSL cert was briefly installed on forge.puppetlabs.com, which will produce the same error that the SSL cert couldn't be verified. However this was a brief issue and with the wrong SSL private key being used on the forge; this should have been resolved. Are you still having issues?

luck this won't happen again.