Affects Version/s: PUP 4.6.2
Fix Version/s: None
If a bundle of CA certificates is stored where the CA service's cacert setting points (/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem by default in Puppet 4.x / Puppet Server 2.x), Puppet Server's CA will send the full CA bundle to the agent when the agent requests them. The agent, however, will only store the first certificate from the bundle to its localcacert location - /etc/puppetlabs/puppet/ssl/certs/ca.pem by default in Puppet 4.x.
After the agent certificate is signed by the CA, subsequent agent runs against the master could fail with an error like the following:
The above error would happen for the case that the master's server certificate were issued by an intermediate CA and only the intermediate CA certificate were stored to the agent's localcacert file – not the certificate of the issuing root CA.
Effectively, then, in order for the master to use an intermediate CA certificate to issue agent certificates, one would apparently have to manually put the root + intermediate CA bundle in place at the agent's localcacert location since only one of the CA certificates from the bundle is stored to the localcacert as part of the agent run. It would seem better instead for the full CA certificate bundle to be stored to the agent's localcacert location.
1) Install Puppet Server.
2) Copy the attached ca_crl.pem, ca_crt.pem, and ca_key.pem files to the /etc/puppetlabs/puppet/ssl/ca directory.
The “ca_crl.pem” and “ca_crt.pem” files contain CRL and CA PEMs for both the Root and Intermediate CAs, respectively. The “ca_key.pem” file contains the Intermediate CA’s private key.
3) Add the following lines to the /etc/puppetlabs/puppet/puppet.conf file in order to workaround the lack of support for processing multiple CRL files per the CA certificate chain - see
4) Run the following command:
5) Start Puppet Server
6) Do an agent run, targeting a unique ssl directory so that the CA cert and CRL which are downloaded will differ from those in the master ssl directory.
The agent run should exit with a line indicating that the certificate needs to be signed.
7) Sign the myagent certificate request.
8) Repeat the previous agent run:
Agent run is successful, with no warnings.
An error message is displayed:
The agent downloads the CA certificate from Puppet Server by making a request to the .../puppet-ca/v1/certificate/ca endpoint on the server. Note that when making the request manually...
... that the response payload contains 2 certificates - identical to the contents of the /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem file. Note, however, that the contents of the agent's localcacert file - /tmp/myagent-ssl/certs/ca.pem - only includes 1 certificate, the first one from the ca_crt.pem file.
After running the following command…
… and then running the agent with the same command line as previously, the agent run is successful.