Provisioning a new machine works in that the machine is created and the incoming cert is signed by the puppetserver ca (with the correct hostname). However all puppet runs on the machine fail with:
Warning: Unable to fetch my node definition, but the agent run will continue: ... Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: 73b4e7d97d4d70]
I would expect puppet agents comms to work in this situation, as I have verified that the certname on the client machine matches the hostname, and the signed cert on the master. The fingerprints match too.
Foreman 1.22. Puppet v 6 was installed by foreman-installer (I don’t remember choosing a version). The highest puppet agent version I have tested on the client is 5.
[root@foreman ~]# sudo -u puppet /bin/bash bash-4.2$ /etc/puppetlabs/puppet/node.rb foobar.com
Returns the correct yaml.