The configuration for running Open Source puppetserver with an external CA changed in v2.4 -> v2.5, explained in more detail here: https://docs.puppet.com/puppetserver/latest/bootstrap_upgrade_notes.html#cacfg
If you happen to run yum upgrade (presumably similar results with apt-get update), the package's upgrade process for v2.4 -> v2.5 will actually delete any existing copy of /etc/puppetlabs/puppetserver/bootstrap.cfg. Which is reasonable. HOWEVER, if you try to downgrade puppetserver to roll back, e.g. "yum downgrade puppetserver-2.4.0-1.el7," the package downgrade process will overwrite /etc/puppetlabs/puppet/ssl/crl.pem and break your Puppetserver's SSL. Which isn't particularly reasonable. Options for fixing are A) restore crl.pem from backup, B) restore crl.pem from the CA's ca_crl.pem file (if it is also a puppetserver), or C) to regenerate all of your puppet SSL certs. Possible to add mention this downgrade pitfall in the Puppetserver v2.5.0 release notes? https://docs.puppet.com/puppetserver/2.5/release_notes.html -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/92da6284-6519-4302-a729-a08513b84f7b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
