Puppet ENC SSL issue on new install

Re-posting this as I accidentally put it in the wrong category and don’t seem to be able to move it.

I cannot get the node.rb Puppet ENC to work on a new installation. It’s giving SSL errors due to using the wrong client cert. foreman.yaml is referencing Puppet CA signed cert.

/etc/puppetlabs/puppetserver/ca/ca_crt.pem

Looking at an older (working) installation I see it’s using the Katello CA, which makes sense as that’s what it’s authenticating against.

/etc/pki/katello/puppet/puppet_client_ca.crt

So I could use the installer params to change the reference

--puppet-server-foreman-ssl-*

But my installation is not created a key and cert in that directory. So I’m a bit stuck, I can’t see a param to pass to the installer to force creation of that key/cert. Only way forward I can see is to manually create the key and sign with the Katello CA. But surely the installer should handle that?

This is how I’m calling the installer

foreman-installer \
--scenario katello \
--tuning development \
--enable-foreman-plugin-puppet \
--foreman-initial-admin-password XXXX \
--foreman-initial-organization "CTO" \
--foreman-initial-location "EUW2" \
--certs-cname ha-sat.eu-west-2.compute.internal \
--enable-puppet \
--enable-foreman-proxy \
--puppet-server true \
--foreman-proxy-puppet true \
--foreman-proxy-puppetca true \
--puppet-autosign-entries '*.eu-west-2.compute.internal'`

Foreman: 3.4
Katello: 4.6

Figured it out, was missing

--foreman-proxy-content-puppet true