Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

You might be able to at least partially use an Intermediate CA with Puppet / Puppet Server to issue certificates for your agents, however, this is not a tested / supported configuration today. Here are a few known issues that you would could encounter:

  • PUP-6697 - This is probably the issue that you wrote about in your question. Even though Puppet Server's CA will provide both the Root and Intermediate CA cert when the agent asks for it, the agent will only actually store and use the first of the two CA certificates. The agent will then fail to validate the server up to the Root CA certificate and, therefore, output this error. You would probably be able to workaround this issue by just depositing the full contents of the "ca_crt.pem" from the server to '$ssldir/certs/ca.pem' (/etc/puppetlabs/puppet/ssl/certs/ca.pem) on the agent node before doing the first agent run.

  • PUP-3788 - Agents are unable to perform a CRL revocation check correctly when the master's server certificate has been issued from an Intermediate CA. The only known way to workaround this for now is to just disable the use of a CRL completely on the agent by putting a section like this in the '/etc/puppetlabs/puppet/puppet.conf' file:

certificate_revocation = false
  • SERVER-1315 and SERVER-1545 - Certificates cannot be signed from an Intermediate CA in Puppet Server either via autosigning or via the HTTP certificate_status API. As long as you are only using the "puppet cert sign" command-line from the master, however, the signing process should be successful.