I spent far too long diagnosing why this worked in one set of hosts and not another. When the vrrp_script fails on one host, it's supposed to move the service to the other host, that's the whole point right?
I ran into this problem recently, certificates were verifying ok but were revoked somewhere along the line. I wanted to check against the CRL but it's a somewhat undocumented feature (fixed in openssl 1.0.2). The -crl_check option checks your cert against the CRL listed in the certificate, but only if that is listed and accessible remotely.
Augeas is a great tool for changing only parts of a configuration file. It has a few problems though, it's slow and hard to learn and does lack some documentation. That said, unless you can use file_line or inifile, Augeas is the only game in town. The alternative is an exec with sed or awk or something terrible...