# Can I use puppet as an Intermediate CA?

I have installed an Internal-Root signed certificate on my Puppet Master under $ssldir/ca/ca_crt.pem in hopes that my Puppet managed nodes will have a certificate chain that can be resolved by following the chain back to a root CA. In other words I want a chain of trust that looks like this: ROOT-CA ---> Puppet Master (Intermediate CA) ---> Agent Node Here is the tricky part: My Puppet Master gives correctly signed certs to the Agents, but when the Agents run puppet agent -t, they have issues fetching the node definition. I get warnings like this one:  Warning: Unable to fetch my node definition, but the agent run will continue:   Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=mypuppetmaster]   Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=mypuppetmaster]  I was able to get this setup working using the deprecated puppet master daemon, but not with puppetserver. I am using puppetserver 2.5.0 with puppet 4.6.1 on my master. My agent is running puppet 4.4.2. edit retag close merge delete ## Comments On the agent node, did you copy your CA cert chain - file with Root + Intermediate CA PEMs - to the file configured as the "localcacert" - /etc/puppetlabs/puppet/ssl/certs/ca.pem by default? This is from https://docs.puppet.com/puppet/latest/reference/config_ssl_external_ca.html#puppet-agent. ( 2016-09-10 19:27:17 -0500 )edit ## 2 Answers Sort by » oldest newest most voted In the middle of an evaluation and proposal for a large-scale roll out and just got killed by this one. Our mandate is to operate our DevOps management nodes as intermediate CA's for some very good reasons. Can't argue with the stakeholders on it, gotta have it. Puppet is a perfect fit for our needs in every other respect. more You might be able to at least partially use an Intermediate CA with Puppet / Puppet Server to issue certificates for your agents, however, this is not a tested / supported configuration today. Here are a few known issues that you would could encounter: • PUP-6697 - This is probably the issue that you wrote about in your question. Even though Puppet Server's CA will provide both the Root and Intermediate CA cert when the agent asks for it, the agent will only actually store and use the first of the two CA certificates. The agent will then fail to validate the server up to the Root CA certificate and, therefore, output this error. You would probably be able to workaround this issue by just depositing the full contents of the "ca_crt.pem" from the server to '$ssldir/certs/ca.pem' (/etc/puppetlabs/puppet/ssl/certs/ca.pem) on the agent node before doing the first agent run.

• PUP-3788 - Agents are unable to perform a CRL revocation check correctly when the master's server certificate has been issued from an Intermediate CA. The only known way to workaround this for now is to just disable the use of a CRL completely on the agent by putting a section like this in the '/etc/puppetlabs/puppet/puppet.conf' file:

[agent]
certificate_revocation = false
`
• SERVER-1315 and SERVER-1545 - Certificates cannot be signed from an Intermediate CA in Puppet Server either via autosigning or via the HTTP certificate_status API. As long as you are only using the "puppet cert sign" command-line from the master, however, the signing process should be successful.
more