I have configured Puppet Server to use an external CA, and generated the necessary keys.
My puppet.conf looks like the following:
[master]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
ca = false
cacert = /etc/puppet/ssl/certs/bubbleshadow-ca-cert.pem
hostcert = /etc/puppet/ssl/certs/bubbleshadow-server-cert.pem
hostprivkey = /etc/puppet/ssl/private_keys/bubbleshadow-server-key.pem
ssl_client_ca_auth = /etc/puppet/ssl/certs/bubbleshadow-ca-cert.pem
[agent]
server = puppet.bubbleshadow.net
hostcert = /etc/puppet/ssl/certs/bubbleshadow-agent-cert.pem
hostprivkey = /etc/puppet/ssl/private_keys/bubbleshadow-agent-key.pem
localcacert = /etc/puppet/ssl/certs/bubbleshadow-ca-cert.pem
certificate_revocation = false
However, when I try to run puppet agent --test --debug
(on the same node as the server) I get the following output:
Debug: Using cached certificate for ca
Debug: Dynamically-bound server lookup failed, falling back to ca_server setting
Debug: Dynamically-bound port lookup failed; falling back to ca_port setting
This continues to loop until it finally errors out with:
Error: Could not run: stack level too deep
I don't understand why it's trying to do anything with a CA, since the certificate has already been signed manually with openssl.
Best Answer
If you want puppet to use an external CA (e.g. when running multiple puppetmasters), you need to include a
ca server
statement in your puppet.conf.This needs to point to the server puppet is supposed to contact for CA services. Your configuration does not seem to include one.
https://docs.puppet.com/guides/scaling_multiple_masters.html#centralize-the-certificate-authority has some useful information on this.