With certificate revocation set to false, why puppet still checks for crl? Error: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed

asked 2018-03-22 18:14:01 -0600

RS gravatar image

updated 2018-03-23 12:46:30 -0600

We are using custom CA certs and getting the below error when running puppet agent -t on puppet master or any of the puppet server nodes.

Error: /File[/export/home/progress/.puppetlabs/opt/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=OSD/CN=c1...] Error: /File[/export/home/progress/.puppetlabs/opt/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=OSD/CN=c1...]


After validating puppet configuration files in puppet installation directories and agent node's user directories and also validating the certificates and *.pem files as correct, We discovered that though certificate revocation was set to false in our puppet configuration but puppet still checked for an active crl file from custom CA.


puppetserver --version

puppetserver version: 2017.3.0.52

edit retag flag offensive close merge delete