Puppet Server

Configure Puppet Server in three steps:

  • Disable the internal CA service.

  • Ensure that the certname does not change.

  • Put certificates and keys in place on disk.

  1. Edit the Puppet Server/etc/puppetlabs/puppetserver/services.d/ca.cfg file:
    1. To disable the internal CA, comment out puppetlabs.services.ca.certificate-authority-service/certificate-authority-service and uncomment puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service.
  2. Set a static value for the certname setting in puppet.conf: 

    [server]
certname = puppetserver.example.com
    Setting a static value prevents any confusion if the machine's hostname changes. The value must match the certname you’ll use to issue the server's certificate, and it must not be blank.

  3. Put the credentials from your external CA on disk in the correct locations. These locations must match what’s configured in your webserver.conf file.

    If you haven’t changed those settings, run the following commands to find the default locations.

    Credential File location
    Server SSL certificate puppet config print hostcert --section server
    Server SSL certificate private key puppet config print hostprivkey --section server
    Root CA certificate puppet config print localcacert --section server
    Root certificate revocation list puppet config print hostcrl --section server

    If you’ve put the credentials in the correct locations, you don't need to change any additional settings.