Both of you may need the ca-certificates rpm. When I unpack this I can verify the cert on the other end:
$ pwd /tmp/zz $ rpm2cpio ~/files/downloads/ca-certificates-2013.1.94-65.0.el6.noarch.rpm | cpio -id Then this gives me "Verify return code: 0 (ok)" (faking the directory since it's a Debian host): openssl s_client -CApath /tmp/zz/etc/pki/tls/certs -showcerts -connect forgeapi.puppetlabs.com:443 Then when you install the ca-certificates rpm you would: openssl s_client -CApath /etc/pki/tls/certs -showcerts -connect forgeapi.puppetlabs.com:443 I'm testing this on a Debian host hence no ca-certificates rpm available the usual way. If that doesn't work also check your server time, ssl issues are often symptoms of unsync'ed clocks. On Tue, Aug 19, 2014 at 11:20:15AM -0700, RITU JAIN wrote: > Hi Rafael, > Did you find answer to this question? I am facing the same issue. > Regards, > Ritu > > On Tuesday, July 1, 2014 8:58:39 PM UTC-4, triceras wrote: > > Hi All, > Has anyone ever experienced any ssl certificate problems when trying > to download a puppet module form [1]https://forgeapi.puppetlabs.com ? > > [root@hx689 httpd]# puppet module search ssh > Notice: Searching [2]https://forgeapi.puppetlabs.com ... > Error: Could not connect via HTTPS to > [3]https://forgeapi.puppetlabs.com > Unable to verify the SSL certificate > The certificate may not be signed by a valid CA > The CA bundle included with OpenSSL may not be valid or up to date > Error: Try 'puppet help module search' for usage > > I have installed Puppet open source version 3.6.2 on RHEL 6.5. When I > tried to curl the URL I am getting the following: > > > [root@hx689 httpd]# curl [4]https://forgeapi.puppetlabs.com > curl: (60) Peer certificate cannot be authenticated with known CA > certificates > More details here: [5]http://curl.haxx.se/docs/sslcerts.html > curl performs SSL certificate verification by default, using a > "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. > > Any help is really appreciate. > Best Regards, > Rafael > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [6]puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > > [7]https://groups.google.com/d/msgid/puppet-users/32dae128-856a-4316-b3cd-e944ed4faa38%40googlegroups.com. > For more options, visit [8]https://groups.google.com/d/optout. > > References > > Visible links > 1. https://forgeapi.puppetlabs.com/ > 2. https://forgeapi.puppetlabs.com/ > 3. https://forgeapi.puppetlabs.com/ > 4. https://forgeapi.puppetlabs.com/ > 5. http://curl.haxx.se/docs/sslcerts.html > 6. mailto:puppet-users+unsubscr...@googlegroups.com > 7. > https://groups.google.com/d/msgid/puppet-users/32dae128-856a-4316-b3cd-e944ed4faa38%40googlegroups.com?utm_medium=email&utm_source=footer > 8. https://groups.google.com/d/optout -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20140819184539.GA12171%40iniquitous.heresiarch.ca. For more options, visit https://groups.google.com/d/optout.
