Install *nix agents using a manually-transferred certificate

If you can't, or don't, use -k or --insecure to trust the primary server during agent installation, you can manually copy the primary server CA certificate to any *nix machines you want to install agents on, and then run a variation of the agent install script against that cert.

For general information about forming curl commands and authentication in commands, go to Using example commands.

1. On the machine where you want to install the agent, create this directory: /etc/puppetlabs/puppet/ssl/certs
2. On the primary server, navigate to /etc/puppetlabs/puppet/ssl/certs/ and copy ca.pem to the certs directory you created on the agent node.
3. On the agent node, verify file permissions by running:

   chmod 444 /etc/puppetlabs/puppet/ssl/certs/ca.pem

4. Run the agent install script command, using the --cacert flag to point to the cert, such as:

   cacert='/etc/puppetlabs/puppet/ssl/certs/ca.pem'
   uri='https://<PRIMARY_HOSTNAME>:8140/packages/current/install.bash'
   
   curl --cacert "$cacert" "$uri" | sudo bash

   For more information about the agent install script, go to Install agents with the install script.

5. Run puppet agent -t to add the node to the node inventory and generate the CSR.
6. Accept the CSR as explained in Managing certificate signing requests.