>From what I saw, the new architecture is an Intermediate Signing Cert, signed by a bare *key*. I'm not sure how I could copy that to an agent and have it trusted.
turn off your master, delete your ssldir and restart it to have it create a > self signed root. > This is what I want to do! But I'm not sure what options to set during installation/setup to turn that off. On Saturday, November 16, 2019 at 4:46:01 PM UTC-5, Justin Stoller wrote: > > Depending on your security inclinations you might try turning crl checking > off on your 5.5 agent (iirc, that was the biggest issue - if not the only > issue). You might have to also copy the signed cert over to the agent too). > > Otherwise, you may be able to turn off your master, delete your ssldir and > restart it to have it create a self signed root. Make sure the agent on the > master can then check in. I don't remember how that cert is then propagated > out to pdb and the console. You'll either need to hunt and replace on disk > (there's gotta be a task or `puppet infra` command though), or > uninstall/re-install pe (iirc, you can install a fresh pe onto an existing > ssldir). > > hth > > On Sat, Nov 16, 2019 at 4:33 AM A Manzer <ama...@gmail.com <javascript:>> > wrote: > >> Using the LTS is one option. >> >> I disagree that it says that pre-6 agents won't play with a 6 server. On >> that page I linked, there's a compatibility matrix that shows 5.x agents >> are compatible with PE 2019.1. Also, the first phrase of the quote says >> that I can use pre-6.x agents. >> >> I think I'm closer: I found a page on Puppet 6 Intermediate CA >> <https://puppet.com/docs/puppetserver/6.0/intermediate_ca.html>, but it >> only tells me how to convert *to* an intermediate CA architecture, not >> *from* an intermediate CA architecture. >> >> On Saturday, November 16, 2019 at 7:02:01 AM UTC-5, LinuxDan wrote: >>> >>> Use 2018.1.11 (LTS) >>> >>> It clearly says that pre-6 agents won’t play with a 6 server. >>> >>> —————————————————————————————————- >>> >>> "Sometimes I think the surest sign that intelligent life exists >>> elsewhere in the universe is that none of it has tried to contact us." >>> >>> Bill Waterson (Calvin & Hobbes) >>> >>> On Nov 16, 2019, at 6:50 AM, A Manzer <ama...@gmail.com> wrote: >>> >>> >>> I've been using Puppet Enterprise at work quite successfully for a long >>> time. So I finally decided to take advantage of the "Run 10 nodes for >>> free" offer and run PE at home. >>> >>> I've set up my PE server using the latest 2019.2.1. My desktop computer >>> runs Ubuntu 18.04, and I was able to `curl | sudo bash` to install version >>> 6.10.1 of the agent. >>> >>> But I'm really interested in running Puppet on my other Raspberry Pi >>> servers around the house. So I installed Puppet version 5.5.10 from the >>> Raspbian archive and pointed it at my PE server. >>> >>> I'm able to see an unsigned certificate in my PE console, and sign it, >>> but then when I run puppet on my node, I get "Error: Could not request >>> certificate: SSL_connect returned=1 errno=0 state=error: certificate verify >>> failed: [unable to get issuer certificate for /CN=Puppet Enterprise CA >>> generated at +2019-*MM-DD HH:MM:SS*]" >>> >>> I think this is due to the fact that Puppet Server 6 now generates an >>> Intermediate Cert to sign Agent certs, rather than the older self-signed >>> root style. The Component versions in recent PE releases >>> <https://puppet.com/docs/pe/2019.2/component_versions_in_recent_pe_releases.html> >>> >>> document says >>> >>> You can use pre-6.x agents with a Puppet 6.x or PE 2019.0 or later >>>> master, but this combination doesn't take advantage of the new >>>> intermediate >>>> certificate authority architecture introduced in Puppet Server 6.0. To >>>> adopt the new CA architecture, both your master and agents must be >>>> upgraded >>>> to at least 6.x/2019.0, and you must regenerate certificates. If you don't >>>> upgrade *all *of your nodes to 6.x, do not regenerate your >>>> certificates, because pre-6.x agents won't work with the new CA >>>> architecture. >>>> >>> >>> I think this is exactly the case I'm in. I think my PE 2019.2.1 >>> installation generated an intermediate cert architecture and my Puppet 5.5 >>> agents don't understand it. >>> >>> My question is: *How do I turn this off?* How do I revert to a >>> pre-puppet 6.0 self-signed root? A pe.conf setting with a fresh install is >>> fine because I don't have anything yet configured in this installation. >>> >>> Thanks. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to puppet...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/2eb9336e-7f31-4917-9e7f-838e8739955d%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/puppet-users/2eb9336e-7f31-4917-9e7f-838e8739955d%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/d730edfc-9b11-4ae3-b4bd-66b59c76d66f%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/d730edfc-9b11-4ae3-b4bd-66b59c76d66f%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ec47d156-bec2-474c-abfa-f079f5e674be%40googlegroups.com.
