I've been using Puppet Enterprise at work quite successfully for a long time. So I finally decided to take advantage of the "Run 10 nodes for free" offer and run PE at home.
I've set up my PE server using the latest 2019.2.1. My desktop computer runs Ubuntu 18.04, and I was able to `curl | sudo bash` to install version 6.10.1 of the agent. But I'm really interested in running Puppet on my other Raspberry Pi servers around the house. So I installed Puppet version 5.5.10 from the Raspbian archive and pointed it at my PE server. I'm able to see an unsigned certificate in my PE console, and sign it, but then when I run puppet on my node, I get "Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet Enterprise CA generated at +2019-*MM-DD HH:MM:SS*]" I think this is due to the fact that Puppet Server 6 now generates an Intermediate Cert to sign Agent certs, rather than the older self-signed root style. The Component versions in recent PE releases <https://puppet.com/docs/pe/2019.2/component_versions_in_recent_pe_releases.html> document says You can use pre-6.x agents with a Puppet 6.x or PE 2019.0 or later master, > but this combination doesn't take advantage of the new intermediate > certificate authority architecture introduced in Puppet Server 6.0. To > adopt the new CA architecture, both your master and agents must be upgraded > to at least 6.x/2019.0, and you must regenerate certificates. If you don't > upgrade *all *of your nodes to 6.x, do not regenerate your certificates, > because pre-6.x agents won't work with the new CA architecture. > I think this is exactly the case I'm in. I think my PE 2019.2.1 installation generated an intermediate cert architecture and my Puppet 5.5 agents don't understand it. My question is: *How do I turn this off?* How do I revert to a pre-puppet 6.0 self-signed root? A pe.conf setting with a fresh install is fine because I don't have anything yet configured in this installation. Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2eb9336e-7f31-4917-9e7f-838e8739955d%40googlegroups.com.
