Puppet, FreeBSD & Self-Signed SSL

Puppet on FreeBSD connecting to servers using a self-signed certificate.

Today almost everything is using SSL, good. The certificates can be signed by trusted certifying authorities or they can be self-signed. Having our services connecting to trusted ones is straightforward, however when you are connecting to a server that is using a certificate generated by a self-signed CA things can be tricky.

Puppet is a configuration management tool, similar to CFengine, Salt, Ansible. It has an impressive set of modules to tackle various tasks. Even has modules to communicate with (HashiCorp) Vault. In my case my Puppet server wasn’t able to connect to my Vault server which was using a self-signed certificate:

puppet agent -t
Error: Failed to apply catalog: certificate verify failed [unable to get local issuer certificate for CN=my-vault-server.com]

To solve this issue on Ubuntu you copy your CA cert under /opt/puppetlabs/puppet/ssl/certs/ directory, create a hash/serial of it and symlink in to the CA certificate (cheers to Tom for helping me with this). This could work on Debian and other Linux distributions. I didn’t tested it.

cp CA.crt /opt/puppetlabs/puppet/ssl/certs/CA.crt
chown root:root /opt/puppetlabs/puppet/ssl/certs/CA.crt
chmod 0644 /opt/puppetlabs/puppet/ssl/certs/CA.crt
openssl x509 -noout -hash -in /opt/puppetlabs/puppet/ssl/certs/CA.crt 
ln -s /opt/puppetlabs/puppet/ssl/certs/CA.crt /opt/puppetlabs/puppet/ssl/certs/a1942923.0

The same directory (/opt/puppetlabs/puppet/ssl/certs/) doesn’t work with FreeBSD. Here you’re going to use /etc/ssl/certs/, repeat the steps above for this directory.

cp CA.crt /etc/ssl/certs/CA.crt
chown root:wheel /etc/ssl/certs/CA.crt
chmod 0644 /etc/ssl/certs/CA.crt
openssl x509 -noout -hash -in /etc/ssl/certs/CA.crt a1942923
ln -s /etc/ssl/certs/CA.crt /etc/ssl/certs/a1942923.0

Now puppet agent -t should run with no errors. I tested it on FreeBSD 13.1 using Puppet 7.

The same directory can be used to add any self-signed certificates to your FreeBSD server. This page elaborates more on this topic.

Here is a related article from Puppet’s official website on adding certificates to the Puppet certificate bundle, on Linux.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.