I have a test node which had pointed at a legacy puppet master.
I used this command to remove its certificates:
find /etc/puppetlabs/puppet/ssl -name *`hostname`* -exec rm {} \;
and then to update the puppet master on the node:
puppet config set --section main server new_puppet_master.example.comand then ran the agent like so:
puppet agent --test --environment production --waitforcert 20which gives me these errors:
Info: Creating a new SSL key for migrating_node.example.com Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for migrating_node.example.com Info: Certificate Request fingerprint (SHA256): D7:F5:1A:4A:68:15:DA:BD:3B:7E:AF:72:AF:41:9B:0E:4A:92:1A:F1:EE:82:46:9E:97:A2:A9:A0:9E:2A:7E:89 Info: Caching certificate for migrating_node.example.com Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com] Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com] Info: Retrieving plugin Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com] Error: /File[/var/opt/lib/pe-puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com] Could not retrieve file metadata for puppet://new_puppet_master.example.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com] Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/pe_build.rb etc.; . . . Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com] Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=new_puppet_master.example.com]Seems there is some certificate for my master which must be installed on the agent to bootstrap this communication. In fact I remember my bootstrap script used to install the agent on nodes at a previous company included some code to do this, but I do not remember which cert I harvest from where on the master and install to where on the agent. Can someone please advise? Perhaps point me to the documentation of this requirement? I have been unable to find it. Thanks, -- Hugh