Katello noob needs help with puppet

Hello All,

Im a Katello noob trying to setup Foreman/Katello to replace my Spacewalk Server. My main goals are to perform patch management( getting CentOS errata listed), remote execution, vulnerability scanning, and later down the road, provisioning.

At the moment, Im having issues with my puppet setup. Im an experienced Linux Admin, but have little to no experience with puppet and ansible. Currently, I have a CentOS 7 server running Katello 3.16 and Foreman 2.1. I have fully synced Cent7 repos, A centos7 content view with the repos attached, published and promoted to Development and Production Lifecycles. Ansible is setup and is receiving facts from a CentOS 7 client.

Remote execution is working.
puppet is another matter. Below are all the packages, Foreman plugins and client side packages I installed.

On the server:
foreman 2.1
katello 3.16
puppet 6
yum -y install katello tfm-rubygem-hammer_cli_* foreman-proxy-content
foreman-installer --scenario katello --enable-foreman-plugin-ansible \
                                     --enable-foreman-plugin-bootdisk \
                                     --enable-foreman-plugin-discovery \
                                     --enable-foreman-plugin-hooks \
                                     --enable-foreman-plugin-openscap \
                                     --enable-foreman-plugin-remote-execution \

yum install tfm-rubygem-foreman_ansible tfm-rubygem-smart_proxy_ansible tfm-rubygem-foreman_ansible rubygem-smart_proxy_ansible ansible

foreman-installer --enable-foreman-plugin-ansible --enable-foreman-proxy-plugin-ansible
–enable-foreman-plugin-remote-execution --enable-foreman-proxy-plugin-remote-

I registered my client as follows:

curl --insecure --output katello-ca-consumer-latest.noarch.rpm https://katelloserver316.localdomain/pub/katello-ca-consumer-latest.noarch.rpm
yum localinstall katello-ca-consumer-latest.noarch.rpm
subscription-manager register --org=“OrgName” --activationkey=“CentOS7_Key”
mkdir /etc/yum.repos.d/old ; mv /etc/yum.repos.d/CentOS-* /etc/yum.repos.d/old; mv /etc/yum.repos.d/epel* /etc/yum.repos.d/old
yum install -y https://yum.theforeman.org/client/2.1/el7/x86_64/foreman-client-release.rpm
yum -y install katello-host-tools katello-host-tools-tracer

When I run hammer puppet-environment list
I get 
ID | NAME      
1  | production
2  | Production

Ive reinstalled the katello server from scratch a couple of times and followed instructions from the official site as well suggestions from other sites. the last one I followed had me run this as a remote execution job to the client.

yum -y localinstall https://yum.puppet.com/puppet6-release-el-7.noarch.rpm
yum install -y puppet-agent
content=hostname -a
/opt/puppetlabs/puppet/bin/puppet config set --section agent server katelloserver316.localdomain ## katello server hostname
/opt/puppetlabs/puppet/bin/puppet config set --section agent certname ${content}katelloserver316.localdomain
/opt/puppetlabs/puppet/bin/puppet config set --section agent runinterval 1800
/opt/puppetlabs/puppet/bin/puppet config set --section agent environment Production
/opt/puppetlabs/puppet/bin/puppet config set --section agent listen false
/opt/puppetlabs/puppet/bin/puppet config set --section agent report true
/opt/puppetlabs/puppet/bin/puppet config set --section agent usecacheonfailure true
/opt/puppetlabs/puppet/bin/puppet config set --section agent pluginsync true
systemctl enable puppet
systemctl restart puppet

When I ran /opt/puppetlabs/bin/puppet agent -t --server katelloserver316.localdomain I was getting a number of errors, I made some changes to the above codeblock and it then prompted me to sign the cert on the server, which I did. I now get:

Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for katelloserver316.localdomain
Info: Certificate Request fingerprint (SHA256): 36:06:41:0D:6C:78:CC:B2:5C:B4:C3:55:F6:AC:F0:BA:08:5F:0A:62:E9:2C:8A:91:A9:EB:42:FA:BB:B6:55:9D
Info: Downloaded certificate for katelloserver316.localdomain from https://katelloserver316.localdomain:8140/puppet-ca/v1
Error: The certificate for ‘CN=katelloserver316.localdomain’ does not match its private key
Error: Could not run: The certificate for ‘CN=katelloserver316.localdomain’ does not match its private key

Not suprisingly the server isnt receiving and puppet facts from the client.

I had a number of issues on previous installs and got puppet errors running puppet remote execution jobs and openscap scans.

I might be able to resolve the cert issue if I tried long enough. But I first want to know if Im on the right track or not. Can anyone suggest the proper way to setup puppet from A- Z on both the client and server, including installing and setting up modules ? Im not overly familiar with GIT either.

Do I even need puppet to reach my desired goals, patch management with centos errata listed, openscap and provisioning of new boxes, if I have ansible installed ?

Thank You

ok , so I messed around with some parameters in the clients puppet.conf and regened server side and client side certs. I reran /opt/puppetlabs/bin/puppet agent -t --server katelloserver316.localdomain
Here is the output:
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 500 on SERVER: Server Error: Failed to find katelloserver316.localdomain.pem via
exec: Execution of ‘/etc/puppetlabs/puppet/node.rb katelloserver316.localdomain.pem’ returned 1:
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for katelloserver316.localdomain.pem
Info: Applying configuration version ‘1602709084’

I now receive puppet facts under the host on the server. Are those errors “important” ? Are they impacting anything ?

Now I think I need to figure out how to setup the puppet modules on the server.