On Fri, Jan 4, 2019 at 2:03 PM 'Michael Post' via Puppet Users < puppet-users@googlegroups.com> wrote:
> Hello, > >> >> Am Freitag, 4. Januar 2019 22:21:47 UTC+1 schrieb Michael Post: >> >>> Hello, >>> >>> yesterday and today i set up a new Debian Stretch VM and want to install >>> a fresh environment with puppetserver 6. >>> >>>> >>>> sometimes it is good to write and think and read more and more. > I solved my problem. > The exact steps are written in the documentation but you have to find it. > > It is written under > > https://puppet.com/docs/puppet/5.3/config_ssl_external_ca.html#option-2-puppet-server-functioning-as-an-intermediate-ca > > Puppet agent > You need to do two things to prepare Puppet agent for this CA > configuration: > If you copy this file into place before the first Puppet run, you will not > recieve any errors. If you attempt a Puppet run prior to this file being > present you will receive errors since the auto-distributed ca.pem file > doesn’t include the root CA.. > Example error: > Error: Could not request certificate: SSL_connect returned=1 errno=0 > state=error: certificate verify failed: [unable to get local issuer > certificate for /CN=<server>] > > Copy the CA bundle in place prior to a Puppet run. > > Disable certificate revocation validation. > > Copy the CA bundle you created to /etc/puppetlabs/puppet/ssl/certs/ca.pem on > every agent node. > Set certificate_revocation = false in the [main] section of puppet.conf > on every agent node: > > [main] > certificate_revocation = false > > Once you’ve completed both of these steps, the agent can run successfully. > > Have a nice weekend, > > Michael > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/ed78a062-6db1-4636-bb78-c2bfbb01cb90%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/ed78a062-6db1-4636-bb78-c2bfbb01cb90%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > One clarification. Puppetserver6 has a new workflow for importing an external CA certificate, and issuing an intermediate puppet CA from that. Also puppet6 agents will correctly download the CA bundle and process multiple CRLs, so it is not necessary to disable CRL checking. However the steps you outlined are required for puppet5 agents talking to puppetserver6 when it is using intermediate CA certs, as older agents don't process multiple CRLs correctly. See https://puppet.com/docs/puppetserver/6.1/intermediate_ca.html for more details.. Josh -- Josh Cooper | Software Engineer j...@puppet.com | @coopjn -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2Bu97u%3DWLyhfBvb8Hbj%3DUJ%2BNr3SVX7K%2BMAzEXxtSRFamy%3D8OzA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
