maint: Suggest where to start troubleshooting SSL error message

Much like the infamous "hostname was not match" error message, there's
another SSL error that people run into that isn't clear how to
troubleshoot.

   err: Could not send report: SSL_connect returned=1 errno=0
   state=SSLv3 read server certificate B: certificate verify failed.

As far as I can tell this only ever happens when the clock is off on the
master or client.  People seem to think it will happen other times, but
I haven't been able to reproduce it other ways - missing private key,
revoked cert, offline CA all have their own errors.  I googled around
and the only thing I've seen for this error in relation to puppet is the
time sync problem.

So the error message text just has some additional info to suggest you
check your clocks.

Reviewed-by: Nick Lewis <nick@puppetlabs.com>

2 files changed, 50 insertions, 37 deletions

diff --git a/lib/puppet/indirector/rest.rb b/lib/puppet/indirector/rest.rb
index 8018fe8e3..19daff51d 100644
--- a/lib/puppet/indirector/rest.rb
+++ b/lib/puppet/indirector/rest.rb
@@ -93,7 +93,9 @@ class Puppet::Indirector::REST < Puppet::Indirector::Terminus
 
     http_connection.send(method, *args)
   rescue OpenSSL::SSL::SSLError => error
-    if error.message.include? "hostname was not match"
+    if error.message.include? "certificate verify failed"
+      raise Puppet::Error, "#{error.message}.  This is often because the time is out of sync on the server or client"
+    elsif error.message.include? "hostname was not match"
       raise unless cert = peer_certs.find { |c| c.name !~ /^puppet ca/i }
 
       valid_certnames = [cert.name, *cert.alternate_names].uniq
diff --git a/spec/unit/indirector/rest_spec.rb b/spec/unit/indirector/rest_spec.rb
index ee0111a77..042b7ca16 100755
--- a/spec/unit/indirector/rest_spec.rb
+++ b/spec/unit/indirector/rest_spec.rb
@@ -90,42 +90,53 @@ describe Puppet::Indirector::REST do
     @rest_class.port.should == 543
   end
 
-	describe "when making http requests" do
-		it "should provide a helpful error message when hostname was not match with server certificate" do
-			Puppet[:certdnsnames] = 'foo:bar:baz'
-			csr            = OpenSSL::X509::Request.new
-			csr.subject    = OpenSSL::X509::Name.new([['CN', 'not_my_server']])
-			csr.public_key = OpenSSL::PKey::RSA.generate(Puppet[:keylength]).public_key
-			cert = Puppet::SSL::CertificateFactory.new('server', csr, csr, 14).result
-
-			connection = Net::HTTP.new('my_server', 8140)
-			@searcher.stubs(:network).returns(connection)
-			ssl_context = OpenSSL::SSL::SSLContext.new
-			ssl_context.stubs(:current_cert).returns(cert)
-			connection.stubs(:get).with do
-				connection.verify_callback.call(true, ssl_context)
-			end.raises(OpenSSL::SSL::SSLError.new('hostname was not match with server certificate'))
-
-			msg = /Server hostname 'my_server' did not match server certificate; expected one of (.+)/
-			expect { @searcher.http_request(:get, stub('request')) }.to(
-				raise_error(Puppet::Error, msg) do |error|
-					error.message =~ msg
-					$1.split(', ').should =~ ['foo', 'bar', 'baz', 'not_my_server']
-				end
-			)
-		end
-
-		it "should pass along the error message otherwise" do
-			connection = Net::HTTP.new('my_server', 8140)
-			@searcher.stubs(:network).returns(connection)
-
-			connection.stubs(:get).raises(OpenSSL::SSL::SSLError.new('certificate verify failed'))
-
-			expect do
-				@searcher.http_request(:get, stub('request'))
-			end.to raise_error(/certificate verify failed/)
-		end
-	end
+  describe "when making http requests" do
+    it "should provide a suggestive error message when certificate verify failed" do
+      connection = Net::HTTP.new('my_server', 8140)
+      @searcher.stubs(:network).returns(connection)
+
+      connection.stubs(:get).raises(OpenSSL::SSL::SSLError.new('certificate verify failed'))
+
+      expect do
+        @searcher.http_request(:get, stub('request'))
+      end.to raise_error(/This is often because the time is out of sync on the server or client/)
+    end
+
+    it "should provide a helpful error message when hostname was not match with server certificate" do
+      Puppet[:certdnsnames] = 'foo:bar:baz'
+      csr            = OpenSSL::X509::Request.new
+      csr.subject    = OpenSSL::X509::Name.new([['CN', 'not_my_server']])
+      csr.public_key = OpenSSL::PKey::RSA.generate(Puppet[:keylength]).public_key
+      cert = Puppet::SSL::CertificateFactory.new('server', csr, csr, 14).result
+
+      connection = Net::HTTP.new('my_server', 8140)
+      @searcher.stubs(:network).returns(connection)
+      ssl_context = OpenSSL::SSL::SSLContext.new
+      ssl_context.stubs(:current_cert).returns(cert)
+      connection.stubs(:get).with do
+        connection.verify_callback.call(true, ssl_context)
+      end.raises(OpenSSL::SSL::SSLError.new('hostname was not match with server certificate'))
+
+      msg = /Server hostname 'my_server' did not match server certificate; expected one of (.+)/
+      expect { @searcher.http_request(:get, stub('request')) }.to(
+        raise_error(Puppet::Error, msg) do |error|
+          error.message =~ msg
+          $1.split(', ').should =~ ['foo', 'bar', 'baz', 'not_my_server']
+        end
+      )
+    end
+
+    it "should pass along the error message otherwise" do
+      connection = Net::HTTP.new('my_server', 8140)
+      @searcher.stubs(:network).returns(connection)
+
+      connection.stubs(:get).raises(OpenSSL::SSL::SSLError.new('some other message'))
+
+      expect do
+        @searcher.http_request(:get, stub('request'))
+      end.to raise_error(/some other message/)
+    end
+  end
 
   describe "when deserializing responses" do
     it "should return nil if the response code is 404" do