Puppet agent includes a comprehensive certificate authority (CA) certificate bundle. When you add third-party integrations (like an Artifactory server), you might need to add certificates to the bundle so that the agent can communicate with third-party services. You can add your own certificates with tools like the puppet module command or puppet-agent's RubyGems utility.
Error messages and logs
When you try to authenticate with third-party services:
ERROR -> Unable to connect to <CUSTOM FORGE>: Peer certificate cannot be authenticated with given CA certificates
Version and installation information
Puppet version: 5.0 and later
Component: Agent
OS: *nix
Installation type: Any
Solution
Add your own certificate to the Puppet CA bundle:
-
Back up the SSL directory by copying the directory. For example:
sudo cp -a /opt/puppetlabs/puppet/ssl /opt/puppetlabs/puppet/ssl.backup -
On the node associated with your cert, navigate to
cd /opt/puppetlabs/puppet/ssl/certs -
Symlink your OpenSSL-compatible certificate to /opt/puppetlabs/puppet/ssl/certs, for example:
sudo ln -s /etc/ssl/certs/mycert.pem -
Finish creating the symlink by running c_rehash:
sudo /opt/puppetlabs/puppet/bin/c_rehash
If Puppet's Java services (Puppet Server or PuppetDB) need to use the cert, it must be available in the JVM environment. Import it using Java's keytool utility.
On the master node:
-
Navigate to the SSL directory:
cd /opt/puppetlabs/puppet/ssl -
Import the certificate using Java's keytool by running:
sudo keytool -import -alias "My_local_cert" -keystore /opt/puppetlabs/puppet/ssl/puppet-cacerts -storepass "changeit" -file <mycert.pem>
Learn more:
Comments
0 comments
Please sign in to leave a comment.