I first run this:
neosmfs# puppet agent -t
Info: Creating a new SSL key for neosmfs.lab-puppet
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for neosmfs.lab-puppet
Info: Certificate Request fingerprint (SHA256): 65:C3:D3:4F:BD:0A:3C:C2:50:21:CF:A2:2F:2A:22:BF:72:37:AE:71:EA:2F:B1:3D:7D:22:E4:D3:3C:09:AB:D8
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
Then sign the sertificate on the web interface, then re-run puppet agent again:
Info: Caching certificate for neosmfs.lab-puppet
Error: Could not request certificate: request https://foreman-pierre.lab-puppet:8140//puppet-ca/v1/certificate_revocation_list/ca failed: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Exiting; failed to retrieve certificate and waitforcert is disabled
Subsequent runs give this:
neosmfs# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Info: Retrieving pluginfacts
Error: /File[/var/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Error: /File[/var/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Info: Retrieving plugin
Error: /File[/var/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Error: /File[/var/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
I have never set up an intermediate CA…
Anyway, If I lookup in /etc/puppetlabs/puppet/ssl/ca, I found a ca_crt.pem:
root@foreman-pierre:/etc/puppetlabs/puppet/ssl/ca# openssl x509 -in ca_crt.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Puppet Root CA: 55c855dce7d755
Validity
Not Before: Dec 11 10:26:29 2019 GMT
Not After : Dec 8 10:26:31 2034 GMT
Subject: CN = Puppet CA: foreman-pierre.lab-puppet
But I can’t find this “Puppet Root CA” certificate. I finaly found it at the bottom of the previous file, so I copied it in a separate file to analyze it;
root@foreman-pierre:/etc/puppetlabs/puppet/ssl/ca# openssl x509 -in /tmp/root.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Puppet Root CA: 55c855dce7d755
Validity
Not Before: Dec 11 10:26:29 2019 GMT
Not After : Dec 8 10:26:31 2034 GMT
Subject: CN = Puppet Root CA: 55c855dce7d755
So it seems you’re right and there is an intermediate CA.
Using your link and some research (as the configuration guide link in your doc is dead), I finally found the instructions here: https://puppet.com/docs/puppetserver/5.3/intermediate_ca_configuration.html#configure-puppet-agent-certificaterevocation-checking
So I ran on the client:
puppet config set --section main certificate_revocation leaf
This put the last line in this file ;
neosmfs# cat /etc/puppetlabs/puppet/puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[main]
server=foreman-pierre.lab-puppet
certificate_revocation = leaf
Result is the same:
neosmfs# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Info: Retrieving pluginfacts
Error: /File[/var/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Error: /File[/var/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Info: Retrieving plugin
Error: /File[/var/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Error: /File[/var/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (self signed certificate in certificate chain): [self signed certificate in certificate chain for /CN=Puppet Root CA: 55c855dce7d755]