Downgrade puppet from 6 to 5 on Foreman 2.0


I installed and fully configured a Foreman Server (v2.0) with a Smartproxy, providing a Puppet CA and a Puppetserver (Version 6.12).
We usually only manage systems with i386/amd64 architecture on Ubuntu 18.04. For them I downloaded the release package from Puppetlabs and installed the puppet-agent in version 6.14.

As of recently I need to be able to manage systems with arm-architecture too, but Puppetlabs does not provide release packages or puppet-agents in version 6 for arm.
As far as I understand this, Puppet 5 is not compatible with the CA structure in Puppet 6 and it would only be possible to use Puppet5-Clients with a Puppet6-Master, if the Puppet CA got migrated from 5 to 6.
I don’t mind downgrading from Puppet6 to Puppet5, if this is doable in a feasible amount of work.
Is this even possible without “destroying everything”?
Are there other solutions to my problem?
I already tried setting up a second smartproxy with Puppet5, but did not get too far.

Expected outcome:

I am able to manage clients with ARM architecture without setting up a new Foreman server.

Foreman and Proxy versions:

Foreman: 2.0.1-1
Puppet-agent: 6.16.0
Puppetserver: 6.12.0

Distribution and version:

Ubuntu 18.04 Bionic on amd64
Debian Buster on arm64

Other relevant data:

You can use Puppet 5 agents with Puppetserver 6. What is important is that by default on Puppetserver 6 we let it create an intermediate CA (by calling puppetserver ca setup). Puppet-agent 5 can’t handle that (without complex work).

If you don’t want that, you can remove your CA SSL files and restart the puppetserver process. It’ll then automatically create a new CA without an intermediate CA. Note you need to update all agents as well to accept the new CA.

That would be my recommended approach, rather than downgrading the server.

Thank you very much!

So that would imply the following steps:
on Master:

  • Stop puppetserver(and foreman)
  • Delete CA SSL files (rm -r /etc/puppetlabs/puppet/ssl/ca/)
  • Restart puppetserver/foreman

on Agents:

  • Delete SSL/Certs: (rm -r /etc/puppetlabs/puppet/ssl/certs)
  • Do an agent run

Yes - though the server is probably also an agent so rm -r /etc/puppetlabs/puppet/ssl would work better.

And you need to sign all hosts again. You may want to take a list of all certnames you currently have and add them to autosign.conf while you do the migration and then clear it out again. There’s a small security consideration there, but in most cases the Puppetserver is sufficiently firewalled off that it’s convenient and safe enough.

1 Like

Thank you! This solved my issue.

Thank you! I was having similar issues with a mixed linux/windows environment. Since there are no puppet 6 clients for windows, I was relegated to manually updating the ca.pem cert on the windows clients. This is so much simpler.

1 Like