Thanks Justin. I think I was just Out Of Luck from the start, by starting with a PE 2019.2 install, with only 5.x agents available.
For anyone who finds this in the future, what I ended up doing was using the Puppet *gem* on Raspbian. I ended up essentially following this guide <https://gist.github.com/aaroncoffey/2459738bb9fb3d91f237455a4c577e9c>, which is a little wrong in the systemd section, but boils down to "Install `ruby-full`, `gem install puppet`, create systemd unit file to manage the puppet agent." This got me Puppet Agent v6, so is able to communicate with my new PE installation. On Tuesday, November 19, 2019 at 5:11:50 PM UTC-5, Justin Stoller wrote: > > sorry for the delay, kid got sick. > > On Sun, Nov 17, 2019 at 3:13 AM A Manzer <ama...@gmail.com <javascript:>> > wrote: > >> From what I saw, the new architecture is an Intermediate Signing Cert, >> signed by a bare *key*. I'm not sure how I could copy that to an agent >> and have it trusted. >> > > The $cadir/ca_crt.pem will contain both the intermediate and root cert. > The root's private key is also left in the cadir so you can put it in a > safe location. The intermediate's key is in the $cadir/ca_key.pem location. > > IIRC, for a 5.x agent connecting to a 6.x CA you'd need to move the > ca_crt.pem and signed agent cert to the agent out of band, while also > disabling crl checking. Kinda defeats the purpose of enabling intermediate > CAs if you have to disable the CRL though. But, the refactor to handle CRL > chains wasn't something we were comfortable putting into an LTS right away. > And most folks we've talked to have an older CA infrastructure w/ new > agents, so the backport hasn't been prioritized. > >> >> turn off your master, delete your ssldir and restart it to have it create >>> a self signed root. >>> >> This is what I want to do! But I'm not sure what options to set during >> installation/setup to turn that off. >> > > If you have an existing ssldir I think PE will install w/o additional > configuration and just use the existing certs/keys. The installer mostly > runs Puppet and the code that bootstraps it is basically an `exec { > "puppetserver ca setup": creates => "/etc/puppetlabs/puppet/ssl/ca" }` . > > I *think* the master, if the service starts and there isn't an ssldir, > will re-create the keys/certs it needs, but as a 5.x compatible self signed > root - but don't try that unless you're prepared for everything to fail. I > think we left the old bootstrap code in there for demo purposes, but it's > not actively maintained. > > Again, there's probably a better way w/in PE to distribute the certs once > you've regen them for the CA/master to the console/pdb, but I don't know > it. You might want to try #puppet-enterprise in the community slack channel. > > > hth, > Justin > >> >> >> On Saturday, November 16, 2019 at 4:46:01 PM UTC-5, Justin Stoller wrote: >>> >>> Depending on your security inclinations you might try turning crl >>> checking off on your 5.5 agent (iirc, that was the biggest issue - if not >>> the only issue). You might have to also copy the signed cert over to the >>> agent too). >>> >>> Otherwise, you may be able to turn off your master, delete your ssldir >>> and restart it to have it create a self signed root. Make sure the agent on >>> the master can then check in. I don't remember how that cert is then >>> propagated out to pdb and the console. You'll either need to hunt and >>> replace on disk (there's gotta be a task or `puppet infra` command though), >>> or uninstall/re-install pe (iirc, you can install a fresh pe onto an >>> existing ssldir). >>> >>> hth >>> >>> On Sat, Nov 16, 2019 at 4:33 AM A Manzer <ama...@gmail.com> wrote: >>> >>>> Using the LTS is one option. >>>> >>>> I disagree that it says that pre-6 agents won't play with a 6 server. >>>> On that page I linked, there's a compatibility matrix that shows 5.x >>>> agents >>>> are compatible with PE 2019.1. Also, the first phrase of the quote says >>>> that I can use pre-6.x agents. >>>> >>>> I think I'm closer: I found a page on Puppet 6 Intermediate CA >>>> <https://puppet.com/docs/puppetserver/6.0/intermediate_ca.html>, but >>>> it only tells me how to convert *to* an intermediate CA architecture, >>>> not *from* an intermediate CA architecture. >>>> >>>> On Saturday, November 16, 2019 at 7:02:01 AM UTC-5, LinuxDan wrote: >>>>> >>>>> Use 2018.1.11 (LTS) >>>>> >>>>> It clearly says that pre-6 agents won’t play with a 6 server. >>>>> >>>>> —————————————————————————————————- >>>>> >>>>> "Sometimes I think the surest sign that intelligent life exists >>>>> elsewhere in the universe is that none of it has tried to contact us." >>>>> >>>>> Bill Waterson (Calvin & Hobbes) >>>>> >>>>> On Nov 16, 2019, at 6:50 AM, A Manzer <ama...@gmail.com> wrote: >>>>> >>>>> >>>>> I've been using Puppet Enterprise at work quite successfully for a >>>>> long time. So I finally decided to take advantage of the "Run 10 nodes >>>>> for >>>>> free" offer and run PE at home. >>>>> >>>>> I've set up my PE server using the latest 2019.2.1. My desktop >>>>> computer runs Ubuntu 18.04, and I was able to `curl | sudo bash` to >>>>> install >>>>> version 6.10.1 of the agent. >>>>> >>>>> But I'm really interested in running Puppet on my other Raspberry Pi >>>>> servers around the house. So I installed Puppet version 5.5.10 from the >>>>> Raspbian archive and pointed it at my PE server. >>>>> >>>>> I'm able to see an unsigned certificate in my PE console, and sign it, >>>>> but then when I run puppet on my node, I get "Error: Could not request >>>>> certificate: SSL_connect returned=1 errno=0 state=error: certificate >>>>> verify >>>>> failed: [unable to get issuer certificate for /CN=Puppet Enterprise CA >>>>> generated at +2019-*MM-DD HH:MM:SS*]" >>>>> >>>>> I think this is due to the fact that Puppet Server 6 now generates an >>>>> Intermediate Cert to sign Agent certs, rather than the older self-signed >>>>> root style. The Component versions in recent PE releases >>>>> <https://puppet.com/docs/pe/2019.2/component_versions_in_recent_pe_releases.html> >>>>> >>>>> document says >>>>> >>>>> You can use pre-6.x agents with a Puppet 6.x or PE 2019.0 or later >>>>>> master, but this combination doesn't take advantage of the new >>>>>> intermediate >>>>>> certificate authority architecture introduced in Puppet Server >>>>>> 6.0. To adopt the new CA architecture, both your master and agents must >>>>>> be >>>>>> upgraded to at least 6.x/2019.0, and you must regenerate certificates. >>>>>> If >>>>>> you don't upgrade *all *of your nodes to 6.x, do not regenerate your >>>>>> certificates, because pre-6.x agents won't work with the new CA >>>>>> architecture. >>>>>> >>>>> >>>>> I think this is exactly the case I'm in. I think my PE 2019.2.1 >>>>> installation generated an intermediate cert architecture and my Puppet >>>>> 5.5 >>>>> agents don't understand it. >>>>> >>>>> My question is: *How do I turn this off?* How do I revert to a >>>>> pre-puppet 6.0 self-signed root? A pe.conf setting with a fresh install >>>>> is >>>>> fine because I don't have anything yet configured in this installation. >>>>> >>>>> Thanks. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Puppet Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to puppet...@googlegroups.com. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/puppet-users/2eb9336e-7f31-4917-9e7f-838e8739955d%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/puppet-users/2eb9336e-7f31-4917-9e7f-838e8739955d%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Puppet Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to puppet...@googlegroups.com. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/puppet-users/d730edfc-9b11-4ae3-b4bd-66b59c76d66f%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/puppet-users/d730edfc-9b11-4ae3-b4bd-66b59c76d66f%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/ec47d156-bec2-474c-abfa-f079f5e674be%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/ec47d156-bec2-474c-abfa-f079f5e674be%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/cc752d86-2b94-48b4-82d9-5ab9bf554ef3%40googlegroups.com.
