PE 2019.2 with Puppet Agent 5.x (CA issue?)

[A Manzer]

I've been using Puppet Enterprise at work quite successfully for a long time.  So I finally decided to take advantage of the "Run 10 nodes for free" offer and run PE at home.

I've set up my PE server using the latest 2019.2.1.  My desktop computer runs Ubuntu 18.04, and I was able to `curl | sudo bash` to install version 6.10.1 of the agent.

But I'm really interested in running Puppet on my other Raspberry Pi servers around the house.  So I installed Puppet version 5.5.10 from the Raspbian archive and pointed it at my PE server.

I'm able to see an unsigned certificate in my PE console, and sign it, but then when I run puppet on my node, I get "Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet Enterprise CA generated at +2019-MM-DD HH:MM:SS]"

I think this is due to the fact that Puppet Server 6 now generates an Intermediate Cert to sign Agent certs, rather than the older self-signed root style.  The Component versions in recent PE releases document says

You can use pre-6.x agents with a Puppet 6.x or PE 2019.0 or later master, but this combination doesn't take advantage of the new intermediate certificate authority architecture introduced in Puppet Server 6.0. To adopt the new CA architecture, both your master and agents must be upgraded to at least 6.x/2019.0, and you must regenerate certificates. If you don't upgrade all of your nodes to 6.x, do not regenerate your certificates, because pre-6.x agents won't work with the new CA architecture.

I think this is exactly the case I'm in.  I think my PE 2019.2.1 installation generated an intermediate cert architecture and my Puppet 5.5 agents don't understand it.

My question is: How do I turn this off?  How do I revert to a pre-puppet 6.0 self-signed root?  A pe.conf setting with a fresh install is fine because I don't have anything yet configured in this installation.

Thanks.

[Dan White]

Use 2018.1.11 (LTS)

It clearly says that pre-6 agents won’t play with a 6 server.

—————————————————————————————————-

"Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us."

Bill Waterson (Calvin & Hobbes)

On Nov 16, 2019, at 6:50 AM, A Manzer <ama...@gmail.com> wrote:



--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2eb9336e-7f31-4917-9e7f-838e8739955d%40googlegroups.com.

[A Manzer]

Using the LTS is one option.

I disagree that it says that pre-6 agents won't play with a 6 server.  On that page I linked, there's a compatibility matrix that shows 5.x agents are compatible with PE 2019.1.  Also, the first phrase of the quote says that I can use pre-6.x agents.

I think I'm closer: I found a page on Puppet 6 Intermediate CA, but it only tells me how to convert to an intermediate CA architecture, not from an intermediate CA architecture.

Use 2018.1.11 (LTS)

To unsubscribe from this group and stop receiving emails from it, send an email to puppet...@googlegroups.com.

[Justin Stoller]

Depending on your security inclinations you might try turning crl checking off on your 5.5 agent (iirc, that was the biggest issue - if not the only issue). You might have to also copy the signed cert over to the agent too).

Otherwise, you may be able to turn off your master, delete your ssldir and restart it to have it create a self signed root. Make sure the agent on the master can then check in. I don't remember how that cert is then propagated out to pdb and the console. You'll either need to hunt and replace on disk (there's gotta be a task or `puppet infra` command though), or uninstall/re-install pe (iirc, you can install a fresh pe onto an existing ssldir).

hth

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d730edfc-9b11-4ae3-b4bd-66b59c76d66f%40googlegroups.com.

[A Manzer]

From what I saw, the new architecture is an Intermediate Signing Cert, signed by a bare key.  I'm not sure how I could copy that to an agent and have it trusted.

turn off your master, delete your ssldir and restart it to have it create a self signed root.

This is what I want to do!  But I'm not sure what options to set during installation/setup to turn that off.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d730edfc-9b11-4ae3-b4bd-66b59c76d66f%40googlegroups.com.

[Justin Stoller]

sorry for the delay, kid got sick.

On Sun, Nov 17, 2019 at 3:13 AM A Manzer <ama...@gmail.com> wrote:

From what I saw, the new architecture is an Intermediate Signing Cert, signed by a bare key.  I'm not sure how I could copy that to an agent and have it trusted.

The $cadir/ca_crt.pem will contain both the intermediate and root cert. The root's private key is also left in the cadir so you can put it in a safe location. The intermediate's key is in the $cadir/ca_key.pem location.

IIRC, for a 5.x agent connecting to a 6.x CA you'd need to move the ca_crt.pem and signed agent cert to the agent out of band, while also disabling crl checking. Kinda defeats the purpose of enabling intermediate CAs if you have to disable the CRL though. But, the refactor to handle CRL chains wasn't something we were comfortable putting into an LTS right away. And most folks we've talked to have an older CA infrastructure w/ new agents, so the backport hasn't been prioritized.

turn off your master, delete your ssldir and restart it to have it create a self signed root.

This is what I want to do!  But I'm not sure what options to set during installation/setup to turn that off.

If you have an existing ssldir I think PE will install w/o additional configuration and just use the existing certs/keys. The installer mostly runs Puppet and the code that bootstraps it is basically an `exec { "puppetserver ca setup": creates => "/etc/puppetlabs/puppet/ssl/ca" }` .

I *think* the master, if the service starts and there isn't an ssldir, will re-create the keys/certs it needs, but as a 5.x compatible self signed root - but don't try that unless you're prepared for everything to fail. I think we left the old bootstrap code in there for demo purposes, but it's not actively maintained.

Again, there's probably a better way w/in PE to distribute the certs once you've regen them for the CA/master to the console/pdb, but I don't know it. You might want to try #puppet-enterprise in the community slack channel.

hth,

Justin

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ec47d156-bec2-474c-abfa-f079f5e674be%40googlegroups.com.

[A Manzer]

Thanks Justin.

I think I was just Out Of Luck from the start, by starting with a PE 2019.2 install, with only 5.x agents available.

For anyone who finds this in the future, what I ended up doing was using the Puppet gem on Raspbian.  I ended up essentially following this guide, which is a little wrong in the systemd section, but boils down to "Install `ruby-full`, `gem install puppet`, create systemd unit file to manage the puppet agent."  This got me Puppet Agent v6, so is able to communicate with my new PE installation.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ec47d156-bec2-474c-abfa-f079f5e674be%40googlegroups.com.