On Wed, Dec 8, 2010 at 6:20 AM, Kikanny <kika...@gmail.com> wrote: > So there is something wrong with the date of the certificate. When I > do "openssl x509 -text -in -noout /etc/puppet/ssl/certs/client.pem | > grep -A2 Validity", I get: > > Validity > Not Before: Dec 7 14:08:10 2010 GMT > Not After : Dec 6 14:08:10 2015 GMT > > However, the current date of the client is Dec 8 which is well within > the valid range. The date is also the same as master server. But when > I change the date of the client to Dec 9, everything works fine and I > don't get that certificate verify failed error anymore. This is > baffling! Any idea how to fix this? Thanks!
Let's use openssl to debug this and see if we can get a better error message indicating why the cert is rejected. In the command below replace the certs and ca to the appropriate path on your system: openssl s_client -host puppet -port 8140 -cert /var/lib/puppet/ssl/certs/puppet.training.pem -key /var/lib/puppet/ssl/private_keys/puppet.training.pem -CAfile /var/lib/puppet/ssl/certs/ca.pem A successful connection: CONNECTED(00000003) depth=1 /CN=puppet.training verify return:1 depth=0 /CN=puppet.training verify return:1 ... Here, I intentionally set the system time to 2009 and the error message show why the cert was rejected. CONNECTED(00000003) depth=1 /CN=puppet.training verify error:num=9:certificate is not yet valid notBefore=Sep 20 08:01:21 2010 GMT verify return:0 Hope this helps. Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
