ubuntusslpuppet

SSL Error when attempting to configure Puppet Server certificate requests


I am configuring Puppet Server on Ubuntu. I have followed the documentation on setting up puppet server, including running puppetserver ca setup before starting the puppetserver service. When I send a certificate request from my agent machine and attempt to list this request on my server, I receive the following error:

admin@puppetserver:~$ puppetserver ca list
Fatal error when running action 'list'
  Error: Failed connecting to https://puppet:8140/puppet-ca/v1/certificate_statuses/any_key?state=requested
  Root cause: SSL_connect returned=1 errno=0 peeraddr=###.###.###.###:8140 state=error: certificate verify failed (unable to get local issuer certificate)

The peeraddr value has been partially redacted. It is the local address of the machine running puppet server, on which I ran the above command.

I have attempted clearing and recreating the SSL certificates and performed multiple system reboots on my server and agent devices. Any advice would be welcome. Please ask for further clarifications if needed :)


Solution

  • For my case, I followed the steps on this page under 'Regenerate the CA and all certificates': https://www.puppet.com/docs/puppet/7/ssl_regenerate_certificates.html#regenerate_ca_and_all_certificates

    Server

    1. Stop the puppet server service:

    sudo puppet resource service puppetserver ensure=stopped

    1. Delete the SSL directory:

    sudo rm -r /etc/puppetlabs/puppet/ssl

    1. Regenerate the CA and primary server's cert:

    sudo puppetserver ca setup

    1. Restart the stopped services:
    sudo puppet resource service puppetserver ensure=running
    sudo puppet resource service puppet ensure=running
    

    Agent

    1. Stop the agent service:

    sudo puppet resource service puppet ensure=stopped

    1. Locate the SSL directory for the puppet agent: puppet config print ssldir --section agent

    2. Delete the directory found above

    3. Restart the stopped service, then send a request to the CA to sign a certificate and sign as normal.