Today almost everything is using SSL, good. The certificates can be signed by trusted certifying authorities or they can be self-signed. Having our services connecting to trusted ones is straightforward, however when you are connecting to a server that is using a certificate generated by a self-signed CA things can be tricky.
Puppet is a configuration management tool, similar to CFengine, Salt, Ansible. It has an impressive set of modules to tackle various tasks. Even has modules to communicate with (HashiCorp) Vault. In my case my Puppet server wasn’t able to connect to my Vault server which was using a self-signed certificate:
puppet agent -t
Error: Failed to apply catalog: certificate verify failed [unable to get local issuer certificate for CN=my-vault-server.com]To solve this issue on Ubuntu you copy your CA cert under /opt/puppetlabs/puppet/ssl/certs/
cp CA.crt /opt/puppetlabs/puppet/ssl/certs/CA.crt
chown root:root /opt/puppetlabs/puppet/ssl/certs/CA.crt
chmod 0644 /opt/puppetlabs/puppet/ssl/certs/CA.crt
openssl x509 -noout -hash -in /opt/puppetlabs/puppet/ssl/certs/CA.crt
a1942923
ln -s /opt/puppetlabs/puppet/ssl/certs/CA.crt /opt/puppetlabs/puppet/ssl/certs/a1942923.0The same directory (/opt/puppetlabs/puppet/ssl/certs/) doesn’t work with FreeBSD. Here you’re going to use /etc/ssl/certs/, repeat the steps above for this directory.
cp CA.crt /etc/ssl/certs/CA.crt
chown root:wheel /etc/ssl/certs/CA.crt
chmod 0644 /etc/ssl/certs/CA.crt
openssl x509 -noout -hash -in /etc/ssl/certs/CA.crt a1942923
ln -s /etc/ssl/certs/CA.crt /etc/ssl/certs/a1942923.0Now puppet agent -t should run with no errors. I tested it on FreeBSD 13.1 using Puppet 7.
The same directory can be used to add any self-signed certificates to your FreeBSD server. This page elaborates more on this topic.
Here is a related article from Puppet’s official website on adding certificates to the Puppet certificate bundle, on Linux.