OK, so this is a straight line version of how I debugged the issue. There were a couple more dead ends than described here.
The first thing to notice is the error. I was getting: "certificate verify failed: [self signed certificate for /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ECM-RHL-001/emailAddress=root@ECM-RHL-001". This told me a couple of things: - The certificate verification was failing. - The identity given in the certificate was: "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ECM-RHL-001/emailAddress=root@ECM-RHL-001". I checked the configuration of the Puppet virtual site. It all looked OK. I then turned to openssl (https://www.openssl.org/docs/apps/x509.html) to check the certificates. I used the following (substituting the certificate file for cert.pem) to print out the server and CA certificates used in the configuration: openssl x509 -in cert.pem -noout -text I decided to have a look at the certificates I got if I connected to the server. Again openssl is your friend ( http://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server). I ran the following with output to separate files for the WEBrick and Apache servers. openssl s_client -showcerts -connect ecm-rhl-001:8140 </dev/null >WEBrick.certs openssl s_client -showcerts -connect ecm-rhl-001:8140 </dev/null >Apache.certs This gave me 2 files each with 2 certificates in it. The first certificate is the server certificate and the second is the CA certificate. A brief inspection of the files showed that the first certificate was different whilst the second the same: ie the server certificates differed but the CA certificates were the same. I confirmed this further by splitting each certificate out to a separate file and using openssl to print text representations as per check on configured certificates above. So where were the different certificates coming from? Openssl (again) lets me print out and md5 for a certificate and a private key. The md5 will match for matching certificates and keys. openssl x509 -noout -modulus -in signed/ecm-rhl-001.pem | openssl md5 openssl rsa -noout -modulus -in private_keys/ecm-rhl-001.pem | openssl md5 This allowed me to check that the certificate and private keys matched. It also gave me a quick way to check what keys the certificates that I retrieved from the servers matched. All checked out OK. I still could not locate the illusive certificate that was being returned by the Apache server. I checked a number of possible keys and So I went back to look at the Apache configuration and checked all of them for 'SSLCertificateFile' using grep. This showed the that "SSL Configuration" had a certificate defined in it by default. A quick check using the previous Openssl commands showed that it matched the one returned by the Apache server. A few comments to remove the unwanted site from the Apache configuration and everything was working again. I've installed ssl on a number of Apache servers (debian package, ubuntu package & compiled from source) over the last 15 years or so and this is the first time the ssl configuration has included a "live" ssl virtual host definition. Tom -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0553fe0f-cfdd-4041-b6d3-2529b685544a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
