Can I use puppet as an Intermediate CA?
I have installed an Internal-Root signed certificate on my Puppet Master under
$ssldir/ca/ca_crt.pem in hopes that my Puppet managed nodes will have a certificate chain that can be resolved by following the chain back to a root CA.
In other words I want a chain of trust that looks like this: ROOT-CA ---> Puppet Master (Intermediate CA) ---> Agent Node
Here is the tricky part: My Puppet Master gives correctly signed certs to the Agents, but when the Agents run
puppet agent -t, they have issues fetching the node definition. I get warnings like this one:
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=mypuppetmaster]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=mypuppetmaster]
I was able to get this setup working using the deprecated
puppet master daemon, but not with
I am using puppetserver 2.5.0 with puppet 4.6.1 on my master. My agent is running puppet 4.4.2.