I think this is fixed now; I used openssl s_client and whereas it used to have:
--- Certificate chain 0 s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet Labs, Inc./CN=*.puppetlabs.com i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 1 s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet Labs, Inc./CN=*.puppetlabs.com i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 2 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA It now says Certificate chain 0 s:/serialNumber=tQHCVE0ajtkIENLLN1O5pr4WMtvwn/eA/C=US/ST=Oregon/L=Portland/O=Puppet Labs, Inc./CN=*.puppetlabs.com i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA On Monday, March 24, 2014 11:50:16 AM UTC-7, Eric Sorenson wrote: > > Thanks for pointing this out, I've raised an internal ticket with the > operations team and will update this thread when I hear back. > > --eric0 > > On Monday, March 24, 2014 7:10:09 AM UTC-7, Christopher Orr wrote: >> >> Hi all, >> >> I just noticed that some of my servers are having trouble while running >> `apt-get update`, apparently due to TLS issues with apt.puppetlabs.com. >> >> `apt-get update` returns: >> W: Failed to fetch >> https://apt.puppetlabs.com/dists/lucid/main/source/Sources.gz server >> certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt >> CRLfile: none >> >> However, I can access https://apt.puppetlabs.com fine via curl or >> Chrome, and the relevant root certificate is indeed in >> /etc/ssl/certs/ca-certificates.crt. >> But on closer inspection, it seems that the certificate chain returned >> when connecting to apt.puppetlabs.com contains two copies of the *. >> puppetlabs.com certificate as the first two links in the chain. >> >> I imagine it's possible that certain clients reject this as invalid. >> Has anybody else noticed this behaviour? >> >> In the meantime, I see that newer "puppetlabs-release-*.deb" packages use >> http://apt.puppetlabs.com (i.e. no https://), so I guess I have some >> apt-sources updating to do... >> >> Regards, >> Chris >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6920890c-b114-4b19-9fbc-b15488fb41a0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
