Skip to main content

Add certificates to the Puppet certificate bundle in Puppet Enterprise 2019.8.0, and 2021.0 to 2021.7

Suzie Baunsgard
  • Updated

The Puppet agent includes a comprehensive certificate authority (CA) certificate bundle. When adding third-party integrations (like an Artifactory server), you might need to add certificates to the bundle so that the agent can communicate with third-party services. You can add your certificates with tools like the puppet module command or the puppet-agent RubyGems utility.

Error messages and logs

When you try to authenticate with third-party services:

ERROR -> Unable to connect to <CUSTOM FORGE>: Peer certificate cannot be authenticated with given CA certificates

Version and installation information

PE version: 2019.8.0, 2021.0 to 2021.7
OS: Any
Installation type: Any

Solution

Add your certificate to the CA bundle:

  1. Back up the SSL directory by copying the directory. For example: sudo cp -a /opt/puppetlabs/puppet/ssl /opt/puppetlabs/puppet/ssl.backup
  2. On the node associated with your cert, navigate to cd /opt/puppetlabs/puppet/ssl/certs
  3. Symlink your OpenSSL-compatible certificate to /opt/puppetlabs/puppet/ssl/certs, for example: sudo ln -s /etc/ssl/certs/mycert.pem
  4. Finish creating the symlink by running rehash: sudo /opt/puppetlabs/puppet/bin/openssl rehash

If PE Java services (console services, Puppet Server, orchestration services, or PuppetDB) need to use the cert, it must be available in the JVM environment. Import it using the Java keytool utility.

On the primary server node:

  1. Navigate to the SSL directory: cd /opt/puppetlabs/puppet/ssl

  2. Import the certificate using the Java keytool by running

    sudo /opt/puppetlabs/server/bin/keytool -import -alias "My_local_cert" -keystore puppet-cacerts -storepass 'changeit' -file <mycert.pem>

Did this solve your problem?
1 out of 5 found this helpful

How can we improve this article?

3 comments

Date Votes
  • Peter Tiggerdine

    Hi Support, Thanks for this document it was very helpful. Is there any way to add additional certs at install time maybe via pe.conf? Or better use the when using an independent root CA add the bundle certificate to the above directories?

    0
  • Suzie Baunsgard

    I'm checking with the team to see if I can get more info for you. 

    0
  • Suzie Baunsgard

    Hi, intermediate CA is the option for this https://puppet.com/docs/pe/2021.2/use_an_independent_intermediate_ca.html

    If that doesn't work for you, I encourage you to open a ticket so that the team can help you figure out if there is another alternative for your specific use case. 

    0

Please sign in to leave a comment.

Related articles