Puppet SSL directory install options

Hello. I’m getting started with foreman 1.17 and doing a pretty close to default install with foreman and puppet 5 on the same host. However I want to change the directory in which puppet server stores its client certificates so that it’s under /var instead of /etc. I’m having trouble understanding the difference between these install options:


The blurb for each in the installer’s help is too brief for me to understand what they do, especially with my newbishly weak understanding of how all the parts work together. Can someone describe them in a bit more detail?


I can describe it in a rather short way, but hope this is enough to be helpful.

--puppet-server-ssl-dir is the one of the Puppet server, so it is the one containing the Puppet CA und all others files required like certificate requests and signed certificates (probably the one you want to change). All the other directories are for the specific software components which use certificates issued by the CA so --foreman-puppet-ssldir is for Foreman itself, --foreman-proxy-ssldir is for Smart proxy (the communication interface between Foreman and managed services) and --puppet-ssldir is for the Puppet client.

That’s perfect, thank you!

1 Like

Unfortunately, installation using that option did not go well. Apache was unable to start because the foreman config has it looking in directories under /etc/puppetlabs/puppet/ssl for the foreman web server’s ssl cert, key, and intermediate cert (chain file), as well as files dealing with client cert checking, but none of those files existed. I generated and added key & cert files manually, and commented out the client cert configs which allowed apache to start. However I’m not clear on whether the client cert configs are necessary. If not, why are they there?

With apache running I was able to log into the web interface and discovered that the node on which foreman is running does not appear as a host. With the all-defaults installation it did show up as the first host. So it’s pretty clear something is amiss.

Here is the full installation command I ran with just the domain name changed, in case there is some other option I chose gumming up the works. Note that I have a local EPEL mirror, so I didn’t want that config overwritten.

foreman-installer --foreman-puppetrun=true --foreman-configure-epel-repo=false --puppet-server-puppetserver-vardir=/var/opt/puppetlabs/server --puppet-server-ssl-dir=/var/opt/puppetlabs/server/ssl --puppet-server-certname=“puppet.example.com

Any ideas where I’ve gone wrong?

I fear you have to set all the ssl parameters to point to the files created in /var/opt/puppetlabs/server/ssl for an all-in-one installation. It seems like it is not copying over certificates and just pointing to them in the configuration.

The host will appear after the first successful puppet agent run, so perhaps it ran also in a SSL problem.