Puppet clients not being integrated on provisioning

Provisioning a new machine works in that the machine is created and the incoming cert is signed by the puppetserver ca (with the correct hostname). However all puppet runs on the machine fail with:

Warning: Unable to fetch my node definition, but the agent run will continue:
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: 73b4e7d97d4d70]

I would expect puppet agents comms to work in this situation, as I have verified that the certname on the client machine matches the hostname, and the signed cert on the master. The fingerprints match too.

Foreman 1.22. Puppet v 6 was installed by foreman-installer (I don’t remember choosing a version). The highest puppet agent version I have tested on the client is 5.


[root@foreman ~]# sudo -u puppet /bin/bash
bash-4.2$ /etc/puppetlabs/puppet/node.rb foobar.com

Returns the correct yaml.

I’m thinking this is the same as Newly provisioned machines not doing Puppet runs

The issue is that Puppetserver 6 by default generates an intermediate certificate but Puppet agents prior to 6 don’t handle that. Probably best to upgrade your agents to version 6 but if that’s not possible then https://puppet.com/docs/puppetserver/6.5/intermediate_ca.html suggests you can remove the CA setup and restart the server to generate a new CA without an intermediate cert.

Thanks, I recreated the CA as suggested and it now works.