Check that the cert used by puppetdb matches the puppet ca.
First the Puppet DB:
root@puppettest1:~# openssl s_client -connect puppet:8140
CONNECTED(00000005)
depth=2 CN = Puppet Root CA: ed17137d0debfe
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:CN = puppet.x.org
i:CN = Puppet CA: puppet.x.org
1 s:CN = Puppet CA: puppet.x.org
i:CN = Puppet Root CA: ed17137d0debfe
2 s:CN = Puppet Root CA: ed17137d0debfe
i:CN = Puppet Root CA: ed17137d0debfe
Then the local copy of the Puppet CA cert:
root@puppettest1:~# ll /etc/puppetlabs/puppet/ssl/certs/ca.pem
-rw-r--r-- 1 root root 3866 Oct 20 22:31 /etc/puppetlabs/puppet/ssl/certs/ca
.pem
root@puppettest1:~# openssl x509 -in
/etc/puppetlabs/puppet/ssl/certs/ca.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Puppet Root CA: ed17137d0debfe
Validity
Not Before: Oct 17 20:04:48 2019 GMT
Not After : Oct 14 20:04:55 2034 GMT
Subject: CN = Puppet CA: puppet.x.org
I believe that as long as the certificate used by Puppet DB is issued by
the Puppet CA, the Puppet Agent will trust the certificate.
Axton
On Sunday, November 10, 2019 at 10:12:03 PM UTC-6, Keyzer Suze wrote:
>
> Hi
>
> I have just installed a new version of puppet (latest) in to centos 8.
>
> when i try and puppet agent --test it fails attempting to connect to
> puppetdb - unable to verify cert.
>
> if i use wget (after i added the puppet ca into the OS root ca bundle) it
> works
>
> where or how to i do the same for ruby ?
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/91467793-a23e-41ec-951f-b3443a1a6b6e%40googlegroups.com.
