Package: puppetserver Version: 7.9.5-1 Severity: important A new setup by "puppetserver setup ca" results in a incomplete certificate chain to be served by puppetserver.
| # openssl s_client -connect localhost:8140 -CAfile /var/lib/puppet/ssl/certs/ca.pem -cert /var/lib/puppet/ssl/certs/deb | ian-sid..pem -key /var/lib/puppet/ssl/private_keys/debian-sid..pem | CONNECTED(00000003) | Can't use SSL_get_servername | depth=2 CN = Puppet Root CA: 327ca764109ce8 | verify return:1 | depth=1 CN = Puppet CA: debian-sid. | verify return:1 | depth=0 CN = debian-sid. | verify return:1 | --- | Certificate chain | 0 s:CN = debian-sid. | i:CN = Puppet CA: debian-sid. | a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 | v:NotBefore: Feb 26 08:40:57 2023 GMT; NotAfter: Feb 23 08:41:02 2038 GMT | --- The certifiate chain is: - Server - Puppet CA - Puppet Root Ca So a server must provide in it's TLS setup: - Server - Puppet CA Only the root CA is left out as trust anchor. However in this Puppet setup, the server only provides the server certificate, not the intermediate. Regards, Bastian -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64)