Among the most frustrating issues, especially for new users, are problems with the agent's SSL handshake. Such errors are especially troublesome because Puppet cannot always offer very helpful analysis in its logs—the problems occur in the SSL library functions, and the application cannot examine the circumstances.
Note
The online documentation at Puppet Labs has a Troubleshooting section that has some advice concerning SSL-related issues as well at https://docs.puppetlabs.com/guides/troubleshooting.html.
Consider the following output for the --test
command:
root@agent# puppet agent --testWarning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: puppet.example.net]
The agent opines that the CRL it receives from the master is not yet valid. Errors such as these can happen whenever the agent's clock gets reset to a very...