Puppet SSL certificate error when using third party certificate for Foreman

Hi all,

Trying to deploy Foreman 1.9.1 (foreman + proxy + master all on the same
server) with a third party certificate (from Comodo in our case) for the
webserver. Followed the instructions on
http://www.zem.org.uk/2015/05/11/foreman-ssl/ but puppet won't run!

I put the third party certificate files in /etc/foreman/tls/. The apache
vhost is configured as instructed:

SSL directives

> SSLEngine on
> SSLCertificateFile "/etc/foreman/tls/certificate.crt"
> SSLCertificateKeyFile "/etc/foreman/tls/private.key"
> SSLCertificateChainFile "/etc/foreman/tls/ca_chain.pem"
> SSLCACertificatePath "/etc/ssl/certs"
> SSLCACertificateFile "/var/lib/puppet/ssl/certs/ca.pem"
> SSLCARevocationFile "/var/lib/puppet/ssl/ca/ca_crl.pem"
> SSLCARevocationCheck "chain"
> SSLVerifyClient optional
> SSLVerifyDepth 3
> SSLOptions +StdEnvVars

Openssl s_client without a CAfile fails of course but remarkably both these
do result in a "Verify return code: 0 (ok)":

openssl s_client -connect <hostname>:443 -CAfile
> /var/lib/puppet/ssl/certs/ca.pem
> openssl s_client -connect <hostname>:443 -CAfile
> /etc/foreman/tls/ca_chain.pem

Foreman runs just fine but puppet won't run. If I set :ssl_ca in
/etc/puppet/foreman.yaml to either puppet's ca.pem or my third party CA
chain file I get:

/etc/puppet/node.rb <hostname>

> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
> certificate verify failed

If I unset :ssl_ca then puppet will run. If I concatenate puppet's ca.pem
and my third party ca_chain.pem and point :ssl_ca to the concatenated CA
file then puppet will also run. I don't think that's supposed to be done
to get this to work.

So how am I supposed to get this to work?

Thanks for the help!