Puppet 3 to 4 upgrade - standalone CA Server/proxy steps?

Hey All,

Almost complete with my Puppet 3 to 4 upgrade in my test environment using Foreman 1.14.3 - been using the steps here: Upgrading from Puppet 3 to 4 - Foreman with small modifications where needed.

Where I'm at:

  • All Puppet Masters are running PuppetServer (and agent) 4.9.4 and puppet runs are working
  • Foreman Provisioning with 3.8.2 puppet agent in kickstart file(s) is still working fine
  • 3.8.2 puppet agents are connecting and working/running fine as well
  • All Foreman infrastructure servers (smart proxies, foreman, puppet master, etc.) are running puppet 4.9.4 agent with no issues
  • Part of the test environment is upgraded to puppet agent 4.9.4 with no issues (the rest is still at 3.8.2 with no issues)

I hit a snag this AM - I went to swap out the puppet agent we are deploying via kickstart to 4.9.4 - but it seems this version cannot request a certificate for some reason (at least that is my understanding).

We have a standalone CA - meaning the only role(s) installed on that smart proxy server are: Puppet CA and Logs. I therefore did not run the foreman-installer command outlined in the wiki above (I did run it on our puppet masters though) as it didn't seem like it mattered, I just updated the puppetca.yml file to use the new paths (per the manual steps outlined on the wiki) after installing the puppet 4.x agent. Of note is that 3.x puppet agents seem to have no issue requesting a certificate at build time and working as expected.

The error my 4.x agent is throwing is: Error 400 on SERVER: The environment must be purely alphanumeric, not 'puppet-ca'

  • My puppet.conf has a valid alphanumeric environment (not puppet-ca)
  • Forcing the puppet run with a "puppet agent -t -environment production" produce the same error
  • Google shows this is a common error when your AGENT is newer than your puppet Server - however in this case my puppet server is 4.9.4 for sure, and my agent is 4.9.4. I don't believe it matters - but the puppet AGENT version of my CA-only smart-proxy is also 4.9.4 at this point (and completing puppet runs successfully)

I "believe" my issue is somewhere on the CA server itself because I see similar errors logged on the CA smart proxy when a 4.X agent tries to request a new certificate:
Nov 3 14:46:44 CASERVERHOSTNAME puppet-master[35316]: The environment must be purely alphanumeric, not 'puppet-ca'

So - to you experts out there - does anyone have any idea what upgrade step(s) im missing? Maybe it's as simple as running the foreman-installer command referenced in the Upgrade doc above on the CA smart proxy as well, or maybe I only need to run it with a few of the switches, as my CA server is not also a puppet master?

Thanks' in advance for any help/suggestions/tips you all might have!

~Jason Lang

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.