Today almost everything is using SSL, good. The certificates can be signed by trusted certifying authorities or they can be self-signed. Having our services connecting to trusted ones is straightforward, however when you are connecting to a server that is using a certificate generated by a self-signed CA things can be tricky.
Puppet is a configuration management tool, similar to CFengine, Salt, Ansible. It has an impressive set of modules to tackle various tasks. Even has modules to communicate with (HashiCorp) Vault. In my case my Puppet server wasn’t able to connect to my Vault server which was using a self-signed certificate:
puppet agent -t Error: Failed to apply catalog: certificate verify failed [unable to get local issuer certificate for CN=my-vault-server.com]
To solve this issue on Ubuntu you copy your CA cert under
directory, create a hash/serial of it and symlink in to the CA certificate (cheers to Tom for helping me with this). This could work on Debian and other Linux distributions. I didn’t tested it.
cp CA.crt /opt/puppetlabs/puppet/ssl/certs/CA.crt chown root:root /opt/puppetlabs/puppet/ssl/certs/CA.crt chmod 0644 /opt/puppetlabs/puppet/ssl/certs/CA.crt openssl x509 -noout -hash -in /opt/puppetlabs/puppet/ssl/certs/CA.crt a1942923 ln -s /opt/puppetlabs/puppet/ssl/certs/CA.crt /opt/puppetlabs/puppet/ssl/certs/a1942923.0
The same directory (/opt/puppetlabs/puppet/ssl/certs/) doesn’t work with FreeBSD. Here you’re going to use
/etc/ssl/certs/, repeat the steps above for this directory.
cp CA.crt /etc/ssl/certs/CA.crt chown root:wheel /etc/ssl/certs/CA.crt chmod 0644 /etc/ssl/certs/CA.crt openssl x509 -noout -hash -in /etc/ssl/certs/CA.crt a1942923 ln -s /etc/ssl/certs/CA.crt /etc/ssl/certs/a1942923.0
puppet agent -t should run with no errors. I tested it on FreeBSD 13.1 using Puppet 7.
The same directory can be used to add any self-signed certificates to your FreeBSD server. This page elaborates more on this topic.
Here is a related article from Puppet’s official website on adding certificates to the Puppet certificate bundle, on Linux.