Ask Your Question

sslv3 alert bad certificate after hardware changes

asked 2016-09-06 11:48:01 -0600

rvalle gravatar image

updated 2016-09-06 13:30:08 -0600


Just replace some hardware on my puppet master, new motherboard.

Everything seems to be working just fine, however all my puppets are consistently failing with "sslv3 alert bad certificate".

I have read a lot of threads the simply encourage to delete all certificates and generate new ones. But I have a serious problem with that, I like to understand why things happen. Also, I hate to run things by hand on my nodes, that is why a got Puppet in the first place, this keeps happening from time to time, etc...

So, I am digging deeper to check what is going on.

If I run puppet agent -t, I get the error: SSL_connect returned=1 state=SSLv3 read server session ticket A: sslv3 alert bad certificate.

However, both client and server have the same ca certificate, nothing seems to have changed, by just digging a bit into the files.

I also run by hand the following command from the node:

openssl s_client -connect puppet:8140 -CAFile my-puppet-ca.pem

And I get a nice Verify return code: 0 (OK).

So, the problem does not seem to be the actual certificates, but something "puppety" going on...

any idea what could be going on?

I run puppet 3.8.x on Ubuntu.

edit retag flag offensive close merge delete


I can also verify that the client certificate is correct: has been signed with the puppet ca. Like so: openssl verfiy -CAfile certs/ca.pem -purpose sslclient certs/host.pem I get an OK for the certificate.

rvalle gravatar imagervalle ( 2016-09-06 13:29:00 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2016-09-06 14:01:07 -0600

rvalle gravatar image


The problem is the date of the puppet master.

After the HW change it was off a few months and NTP did not fix it for some reason.

edit flag offensive delete link more


I've seen odd issues with things like that due to some odd NTP misconfiguration

DarylW gravatar imageDarylW ( 2016-09-06 14:30:33 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2016-09-06 11:48:01 -0600

Seen: 299 times

Last updated: Sep 06 '16