Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Can I use puppet as an Intermediate CA?

I have installed an Internal-Root signed certificate on my Puppet Master under $ssldir/ca/ca_crt.pem in hopes that my Puppet managed nodes will have a certificate chain that can be resolved by following the chain back to a root CA.

In other words I want a chain of trust that looks like this: ROOT-CA ---> Puppet Master (Intermediate CA) ---> Agent Node

Here is the tricky part: My Puppet Master gives correctly signed certs to the Agents, but when the Agents run puppet agent -t, they have issues fetching the node definition. I get warnings like this one:

Warning: Unable to fetch my node definition, but the agent run will continue:

` Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=mypuppetmaster]

Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=mypuppetmaster]

I was able to get this setup working using the deprecated puppet master daemon, but not with puppetserver. I am using puppetserver 2.5.0 with puppet 4.6.1 on my master. My agent is running puppet 4.4.2.