The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #3770

Puppet SSL verfication is broken with multiple chained certificates

Added by Ohad Levy almost 6 years ago. Updated over 3 years ago.

Status:DuplicateStart date:04/22/2010
Priority:NormalDue date:04/22/2010
Assignee:-% Done:


Target version:-
Affected Puppet version: Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:



it seems that 0.25.x SSL is broken when using a chained CA.

I’m attaching a simple script (and output) showing that using simple net/https works, while using puppet internally does not.

it doesn’t seems to be related to the SSL initialization itself, rather to something else

h2. example script

require 'net/https'
require 'puppet/network/http_pool'

args = ["puppet", 8140]
header = { "Accept" => "pson" }
url = "/development/file_content/facts/somefact.rb"

http = Puppet::Network::HttpPool.http_instance(*args)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
  puts http.get url, header
 warn $!

Puppet[:config] = "/etc/puppet/puppet.conf"
http =*args)
http.use_ssl = true
http.cert_store =
http.key =[:hostprivkey]))
http.cert =[:hostcert]))
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = Puppet[:localcacert]

puts http.get url, header

h2. output

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Related issues

Related to Puppet - Bug #3120: 'localcacert' doesn't behave as described Closed 01/27/2010
Related to Puppet - Bug #3961: puppetca doesnt generate certificate in $certdir. Closed 06/08/2010
Related to Puppet - Bug #4226: Puppet ca_name configuration setting should not default t... Closed 07/13/2010
Related to Puppet - Feature #14550: Accept a CRL path on the agent Needs Decision 05/17/2012
Related to Puppet - Bug #1525: local host fails to sync with mongrel/apache2 Closed 08/21/2008
Related to Puppet - Feature #3143: Fully support multiple CAs and CA trust chains in Puppet Closed 02/03/2010


#1 Updated by James Turnbull almost 6 years ago

  • Target version changed from 0.25.5 to 49

#2 Updated by James Turnbull over 5 years ago

  • Target version deleted (49)

#3 Updated by Nigel Kersten almost 5 years ago

  • Assignee deleted (Ohad Levy)
  • Target version set to 3.x
  • Affected Puppet version deleted (0.25.5rc1)

#4 Updated by Nigel Kersten almost 5 years ago

To provide some context, I asked the dev team to spend some time investigating the scope of this fix, and it was non-trivial, enough that it’s been pushed off to Telly.

Unlike previous releases however, expect to see Telly code commits starting to make their way to the dev list in the next month.

#5 Updated by Dustin Mitchell almost 4 years ago

There’s a good bit of context missing in this bug report. One problem is that the OpenSSL error code isn’t returned — “certificate verify failed” usually comes with a code. I’ll submit a patch on another bug to fix that, as it’s within my nascent Ruby skills.

I suspect that the problem here is either that the server wasn’t configured to send the intermediate certificates (to my knowledge, the WebBRICK server can’t do this; Apache can, but needs some config); or the client was trying to verify CRLs, which puppet agent (still) doesn’t support (Bug #14550). However, I see a related issue here in Bug #3640. By disabling CRLs on the client, this can be made to work.

#6 Updated by Anonymous almost 4 years ago

  • Status changed from Accepted to Duplicate


I’m closing this particular ticket because I’ve been reviewing all of the tickets related to the Multiple Certificate Authorities wiki document I originally wrote and I’ve come to the conclusion these aren’t really bugs because Puppet has never supported CA chaining and multiple authorities.

In the situations where it has worked, it’s always been by working around the overloaded nature of the localcacert option and working around the behavior of certificate revocation checking.

Closing this ticket does not imply we don’t consider this a serious issue or we won’t fix this problem. On the contrary, please take it to mean we consider it important enough to fix properly by adding official support for CA chaining and multiple CA’s. In order to do this right we’re going to need to introduce new settings into Puppet. My hope is that these new settings can all default to the existing localcacert setting for the simple case of a single self signed CA.

If you have new information or would like to help us prioritize the feature, please update ticket #15404 with your impact data and use cases for multiple CA’s and certificate chaining.

Thanks, -Jeff McCune

#7 Updated by Anonymous over 3 years ago

  • Target version deleted (3.x)

Also available in: Atom PDF