From the previous section, we have installed the binaries for both: Agent & Server. In this section, we will configure them and sign the certificate:

For the configuration, we have to configure the agent to point to the master server. Then we have to sign the agent's certificate from the master.

We can start the service as follows:

[root@puppetmaster etc]# service puppetserver start
Redirecting to /bin/systemctl start puppetserver.service
[root@puppetmaster etc]# service puppetserver status
Redirecting to /bin/systemctl status puppetserver.service
● puppetserver.service - puppetserver Service
   Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-11-13 16:50:11 EST; 7s ago
  Process: 7345 ExecStart=/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver start (code=exited, status=0/SUCCESS)
 Main PID: 7368 (java)
    Tasks: 40 (limit: 4915)
   CGroup: /system.slice/puppetserver.service
           └─7368 /usr/bin/java -Xms2g -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger -XX:OnOutOfMemoryError="kill -9 %p" -XX:ErrorFile=/var/log/puppetlabs/pu...

Nov 13 16:49:35 puppetmaster.example.com systemd[1]: Starting puppetserver Service...
Nov 13 16:50:11 puppetmaster.example.com systemd[1]: Started puppetserver Service.
[root@puppetmaster etc]# 

As stated before, the agent is the one pulling the requests from the master, but before it can do that, the connection between them NEEDS to be secure. Secure in the IT world means, certificates, so let's check what certificates the Master has:

[root@puppetmaster certificate_requests]# puppetserver ca list --all
Signed Certificates:
    puppetmaster.example.com       (SHA256)  ED:77:D9:A2:F5:86:51:C3:98:F2:61:10:C6:38:14:A3:6B:0C:8D:31:A5:36:46:B4:7C:FC:6E:D7:5F:6E:F6:4B    alt names: ["DNS:puppet", "DNS:puppetmaster.example.com"]  authorization extensions: [pp_cli_auth: true]
[root@puppetmaster certificate_requests]# 

So we see that the master has his own certificate and that is that. But for the agent to work, we need the agent to send his certificate to be signed by the master. So let's setup the agent.

[root@puppetagent puppet]# vi /etc/puppetlabs/puppet/puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html

[main]
certserver = puppetslave.example.com
server = puppetmaster.example.com

:wq

After that, we can start the Agent.

[root@puppetagent puppet]# service puppet start
Redirecting to /bin/systemctl start puppet.service
[root@puppetagent puppet]# service puppet status
Redirecting to /bin/systemctl status puppet.service
● puppet.service - Puppet agent
   Loaded: loaded (/usr/lib/systemd/system/puppet.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-11-13 17:23:04 EST; 2s ago
 Main PID: 26262 (puppet)
    Tasks: 2
   CGroup: /system.slice/puppet.service
           └─26262 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent --no-daemonize

Nov 13 17:23:04 puppetslave.example.com systemd[1]: Started Puppet agent.
[root@puppetagent puppet]#

Since the agent started (and hopefully not mistakes) the master should've received the certificate (from the agent) to approve:

[root@puppetmaster certificate_requests]# puppetserver ca list --all
Requested Certificates:
    puppetslave.example.com       (SHA256)  1F:86:36:82:A1:0E:A6:76:BE:D5:F8:11:93:85:E1:9C:AC:EE:AA:29:AC:85:0F:EB:49:90:A7:CF:FC:40:51:22
Signed Certificates:
    puppetmaster.example.com       (SHA256)  ED:77:D9:A2:F5:86:51:C3:98:F2:61:10:C6:38:14:A3:6B:0C:8D:31:A5:36:46:B4:7C:FC:6E:D7:5F:6E:F6:4B    alt names: ["DNS:puppet", "DNS:puppetmaster.example.com"]  authorization extensions: [pp_cli_auth: true]

Now, we have 2 certiciates :), so let's approve our agent.

[root@puppetmaster certificate_requests]# puppetserver ca sign --certname puppetslave.example.com
Successfully signed certificate request for puppetslave.example.com
[root@puppetmaster certificate_requests]#
[root@puppetmaster certificate_requests]# puppetserver ca list --all
Signed Certificates:
    puppetmaster.example.com       (SHA256)  ED:77:D9:A2:F5:86:51:C3:98:F2:61:10:C6:38:14:A3:6B:0C:8D:31:A5:36:46:B4:7C:FC:6E:D7:5F:6E:F6:4B    alt names: ["DNS:puppet", "DNS:puppetmaster.example.com"]  authorization extensions: [pp_cli_auth: true]
    puppetslave.example.com        (SHA256)  A4:24:76:E7:3D:B8:5B:35:15:1D:79:61:6B:44:F7:1B:D8:B9:8A:03:C9:5B:C4:0D:10:23:8B:00:75:7F:9A:DA
[root@puppetmaster certificate_requests]#

From now on, we will have trusted connection between the Agent/Slave and the Master.

We can verify the connection and the pull from the Agent as follows:

[root@puppetagent puppet]# puppet agent --test --verbose
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetslave.example.com
Info: Certificate Request fingerprint (SHA256): 1F:86:36:82:A1:0E:A6:76:BE:D5:F8:11:93:85:E1:9C:AC:EE:AA:29:AC:85:0F:EB:49:90:A7:CF:FC:40:51:22
Info: Downloaded certificate for puppetslave.example.com from https://puppetmaster.example.com:8140/puppet-ca/v1
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for puppetslave.example.com
Info: Applying configuration version '1605307262'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.03 seconds
[root@puppetagent puppet]# puppet agent --test --verbose
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for puppetslave.example.com
Info: Applying configuration version '1605307275'
Notice: Applied catalog in 0.01 seconds
[root@puppetagent puppet]#