Problem:
My new install of Foreman server with Smart Proxy (Puppet + Puppet CA) seems to loose its Root CA. Installed it on default ssl settings via foreman-installer and expected it to work out of the box.
An agent run on a test client throws the error “…[unable to get issuer certificate for /CN=PuppetCA]” .
After taking a look into the certificates on the server, I could not find a cert with the referenced issuer “Issuer: CN = Puppet Root CA”.
Expected outcome:
I expected a working setup without having to change default values or implement my own CA + cert chain.
Foreman and Proxy versions:
Foreman 1.22, Proxy 1.22
Which versions are you using? Both Puppetserver and puppet-agent versions might make a difference. Also how you provision clients. I suspect you may be provisioning clients with a too old agent for the server.
On client: Ubuntu 18.04 with puppet-agent 5.4.0
On server: puppet-agent 6.7.2, puppetserver 6.5.0
Thank you very much for your help! I updated the client to 6.7 and it is working. Would not have thought about this solution by the appearance of this problem.
I think that Puppetserver version 6 has started to default to generating an intermediate CA so you can share the root but migrate to another host for the CA. Puppet-agent version 5 can’t deal with intermediate certificates that well.
