I have installed puppet server and the agent, accept the intial agent request with sudo /opt/puppetlabs/bin/puppetserver ca sign --certname mywindowshost
on the server.
I can see the certificates are placed in below and exist for the server root ca, and cert for the agent:
C:\Windows\system32>puppet agent --configprint localcacert
C:/ProgramData/PuppetLabs/puppet/etc/ssl/certs/ca.pem
However running the below on the agent to test it i get the following:
C:\Windows\system32>puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Info: Retrieving pluginfacts
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Info: Retrieving plugin
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
I am able to see the cert if i browser in a web browser from the agent machine to https://puppet.mydomain.com:8140/puppet-ca/v1/certificate/ca
the CA cert is shown.
On the client C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf
is shown as below:
[main]
server=puppet.mydomain.com
autoflush=true
manage_internal_file_permissions=false
On the server /etc/puppetlabs/puppet/puppet.conf
is shown as below:
[master]
dns_alt_names = puppet.mydomain.com,puppet-svr1
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
[main]
certname = puppet.mydomain.com
server = puppet.mydomain.com
environment = production
runinterval = 15m
On the server can see the certs genreated:
admin@puppet-svr1:/etc/puppetlabs/puppet$ sudo /opt/puppetlabs/bin/puppetserver ca list --all
Signed Certificates:
home (SHA256) 5E:2D:70:03:B1:A4:81:50:ED:A7:10:88:FD:8E:D0:A6:85:0D:27:D9:A0:65:86:2D:D5:C6:08:B3:C9:4D:37:90
puppet.mydomain.com (SHA256) 4A:14:F1:FB:5D:23:AC:D9:D8:A3:EA:D7:F0:68:B2:7D:9C:46:4D:77:68:F7:E9:5A:3B:61:07:24:3F:20:6B:B3 alt names: ["DNS:puppet.mydomain.com", "DNS:puppet-svr1", "DNS:puppet.mydomain.com"]
All DNS is resolving, both from the server itself (to itself on its IP address) and from the agent.
Time is matched and synced between the agent and server.
I have also followed the CA reset procedure and get the exact same error https://puppet.com/docs/puppet/6.4/ssl_regenerate_certificates.html.
I have noticed that the cert given in https://puppet.mydomain.com:8140/puppet-ca/v1/certificate/ca
contains two certs (one stacked on top of the other), whereas the one placed in the agent directory C:/ProgramData/PuppetLabs/puppet/etc/ssl/certs/ca.pem
only contains one of thee certs (between the -----BEGIN CERTIFICATE---- and -----END CERTIFICATE-----
, the top-most).
UPDATE POTENTIAL ISSUE FOUND – I have got it running now with certificate_revocation = false
and using the full chain cert from https://puppet.mydomain.com:8140/puppet-ca/v1/certificate/ca
I believe i have found the issue, testing the issued auto-downloaded CA by the agent (that only had one CA) i got the following:
C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>openssl verify -CAfile ca.pem home-hv1.pem
home-hv1.pem: CN = Puppet CA: puppet.mydomain.com
error 2 at 1 depth lookup:unable to get issuer certificate
I then replaced the chain.ca
(that had both certs on it) as ca.pem and re-ran:
C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>openssl verify -CAfile ca.pem home-hv1.pem
home-hv1.pem: OK
However when running a test it complains about not having a CRL (indeed i cannot see a CRL URL mentioned in the generated certificate):
C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=Puppet CA: puppet.mydomain.com]
Updating puppet.conf on the agent to:
[main]
server=puppet.mydomain.com
autoflush=true
manage_internal_file_permissions=false
certificate_revocation = false
And restarting the service then allowed it to run:
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for home-hv1
Info: Applying configuration version '1559933691'
I am not happy running without CRL, but why is one not provided in the first place?
Any steps i have missed or doing something wrong, or is this a bug?
Any ideas what else to check please to get this working without fiddling out of the box?
Best Answer
I think in certain versions of puppetserver (or possibly when using
puppetserver ca setup
to initialize the CA) your CA gets created with an intermediate cert in the chain, but when a client cert is signed the/etc/puppetlabs/puppet/ssl/certs/ca.pem
on the client doesn't have that intermediate so you get an error like:A simple fix is downloading the full public CA key and overwriting the incorrect chain on the client. Assuming puppet.example.com is your master: