When trying to upgrade an official module, puppet complains that it can’t find it on the forge. It might actually be that it doesn’t recognize the SSL certificate as being valid. When trying to install a module from forge.puppetlabs.com, it returns the proper error, complaining that the certificate is invalid:
# puppet module install puppetlabs/ntp
Notice: Preparing to install into /usr/local/etc/puppet/modules ...
Notice: Downloading from https://forge.puppetlabs.com ...
Error: Could not connect via HTTPS to https://forge.puppetlabs.com
Unable to verify the SSL certificate
The certificate may not be signed by a valid CA
The CA bundle included with OpenSSL may not be valid or up to date
Apparently https is a jerk, so, other than the obvious, a solution is to use http instead of https for the repository:
# puppet module install puppetlabs/ntp --module_repository=http://forge.puppetlabs.com
On FreeBSD it might be that /etc/ssl/cert.pem isn’t symlinked to /usr/local/share/certs/ca-root-nss.crt, where the ca_root_nss package installs.