Hi Nan Thanks for your response. I tried that. But it says that everything is okay. I get "verify return 1" instead of saying why there is a verification error....
On Dec 8, 10:54 am, Nan Liu <n...@puppetlabs.com> wrote: > On Wed, Dec 8, 2010 at 6:20 AM, Kikanny <kika...@gmail.com> wrote: > > So there is something wrong with the date of the certificate. When I > > do "openssl x509 -text -in -noout /etc/puppet/ssl/certs/client.pem | > > grep -A2 Validity", I get: > > > Validity > > Not Before: Dec 7 14:08:10 2010 GMT > > Not After : Dec 6 14:08:10 2015 GMT > > > However, the current date of the client is Dec 8 which is well within > > the valid range. The date is also the same as master server. But when > > I change the date of the client to Dec 9, everything works fine and I > > don't get that certificate verify failed error anymore. This is > > baffling! Any idea how to fix this? Thanks! > > Let's use openssl to debug this and see if we can get a better error > message indicating why the cert is rejected. In the command below > replace the certs and ca to the appropriate path on your system: > > openssl s_client -host puppet -port 8140 -cert > /var/lib/puppet/ssl/certs/puppet.training.pem -key > /var/lib/puppet/ssl/private_keys/puppet.training.pem -CAfile > /var/lib/puppet/ssl/certs/ca.pem > > A successful connection: > CONNECTED(00000003) > depth=1 /CN=puppet.training > verify return:1 > depth=0 /CN=puppet.training > verify return:1 > ... > > Here, I intentionally set the system time to 2009 and the error > message show why the cert was rejected. > CONNECTED(00000003) > depth=1 /CN=puppet.training > verify error:num=9:certificate is not yet valid > notBefore=Sep 20 08:01:21 2010 GMT > verify return:0 > > Hope this helps. Thanks, > > Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
