Foreman CA pupppet, how to fix thix official way?

Hey all,

When I deploy a host, everything goes fine, except the puppet CA certificates.
I know I can manually fix this, but how can I fix this in foreman that with my next host this problem will not appear?

When I debug I get this:

puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: foreman.telkom.be]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using ‘eval_generate’: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: foreman.telkom.be]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: foreman.telkom.be]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using ‘eval_generate’: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: foreman.telkom.be]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: foreman.telkom.be]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: foreman.telkom.be]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: foreman.telkom.be]

Foreman has some mechanism in interaction with Puppet and a Smart Proxy with the Puppet CA feature to allow the signing of the Puppet certificate during provisioning. This is explain in Foreman :: Manual

So not sure where your problem comes from as this should be setup automatically. But you can verify the settings for it, that puppet is installed in the expected version during provisioning and executed once after installation so certificate signing process is triggered.

It seems to be, if you deploy a debian machine, it installs puppet v5.5. So now I’m looking to change this so its at least v6

The provisioning templates should use some parameter to set which version of the puppet repository should be assigned. So you can set this as a global parameter and get latest puppet version. From my mind it should be something similar to enable_puppetlabs_puppet6_repo.

This article and your answer @Dirk solved my problem! Thanks!