I have installed an Internal-Root signed certificate on my Puppet Master under `$ssldir/ca/ca_crt.pem` in hopes that my Puppet managed nodes will have a certificate chain that can be resolved by following the chain back to a root CA.
In other words I want a chain of trust that looks like this: ROOT-CA ---> Puppet Master (Intermediate CA) ---> Agent Node
**Here** is the tricky part: My Puppet Master gives correctly signed certs to the Agents, *but* when the Agents run `puppet agent -t`, they have issues fetching the node definition. I get warnings like this one:
```
Warning: Unable to fetch my node definition, but the agent run will continue:
```
````
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=mypuppetmaster]
```
```
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=mypuppetmaster]
```
I was able to get this setup working using the deprecated `puppet master` daemon, but not with `puppetserver`.
I am using puppetserver 2.5.0 with puppet 4.6.1 on my master. My agent is running puppet 4.4.2.
↧