Clarification on Puppet and Puppet CA usage


I’m trying to set up a puppet and puppet CA proxy in our lab, and could do with some clarification.

The proxy will be the puppetmaster for a bunch of servers in an isolated segment of the network, with only the proxy being able to talk back to the main foreman server (which is also a puppet server)

So, do I set up a puppet CA on this host, and have all agents signed against that?
Or, does the master foreman server remain as the CA and the proxy passes the requests back to that?
Or, does the agent try to talk back to the foreman master? (which in our case wouldn’t be allowed)



1 Like

Typically I would recommend to only use one Puppet CA, but this would mean one initial communication from the agents to the CA located to Foreman.

Creating a separate one will probably need some additional work as Foreman uses the Puppet certificates per default and you will need different ones for communication between agent and master, and smart proxy and Foreman, but this should be manageable.

Another option would be a proxy (a normal one like Apache as reverse proxy, not the smart proxy) on the smart proxy to root the certificate requests as there is no such mechanism build into puppetserver as far as I know, but this will require also some manual work.

1 Like

The puppet CA proxy is a proxy for running puppet CA commands on a puppet CA server rather than a proxy for the CA itself. In other words it is a proxy for the puppet cert <command> set of commands so your clients would not be able to request a certificate via the proxy but you could sign a request on that CA from your main server.

You have a few options

  1. Closed system - as you suggested. Separate CA in the network segment which can be managed from the main server. Your puppet server should be a puppet client of the main puppet server to make the communication between proxy and main server work. Nodes connected to the isolated puppet server will not be able to talk to the main puppet server I.e they are not portable and must get a new puppet cert if they move out of your isolated network.
  2. Make the isolated puppet CA and intermediate CA - this is complicated and comes with some significant caveats see
  3. Allow your isolated clients to talk to the main CA and just run an isolated puppet server. This could be done via a standard web proxy or just a firewall rule.

Hope this helps.

1 Like

I’m still having issues with this unfortunately. Trying to set up scenario 1 from Matt’s post.

  • Puppet agent on the proxy can talk back to the main foreman server, and the puppet install there.
  • foreman server can see the proxy and list the capabilities (puppet, puppetca, tftp)
  • foreman server can’t read anything from the proxy puppet server.

Seem to me that the proxy can talk back to the foreman server (using the puppet agent certs), but can’t talk to the puppet server to get any details. I’m guessing this is because the foreman-proxy is using the agent certs that are signed by the foreman CA, but that isn’t recognised by the puppet server, as that has its own CA.

Any hints/tips/pointers?



1 Like