fix #669 Using puppet PKI is unsupported on newer Puppetmaster

voxpupuli · Aug 20, 2021 · 807df10 · 807df10
1 parent da5eb13
commit 807df10
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -72,6 +72,8 @@ And depends on:
 
 ### Limitations
 
+The use of Icinga's own CA is recommended. If you still want to use the Puppet certificates, please note that Puppet 7 uses an intermediate CA by default and Icinga cannot handle its CA certificate, see [Icinga Issue](https://github.com/Icinga/icinga2/pull/8859).
+
 This module has been tested on:
 
 * Ruby >= 1.9

diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp
@@ -55,6 +55,8 @@
 #   Provides multiple sources for the certificate, key and ca.
 #   - puppet: Copies the key, cert and CAcert from the Puppet ssl directory to the cert directory
 #             /var/lib/icinga2/certs on Linux and C:/ProgramData/icinga2/var/lib/icinga2/certs on Windows.
+#             Please note that Puppet 7 uses an intermediate CA by default and Icinga cannot handle
+#             its CA certificate, see [Icinga Issue](https://github.com/Icinga/icinga2/pull/8859).
 #   - icinga2: Uses the icinga2 CLI to generate a Certificate Request and Key to obtain a signed
 #              Certificate from 'ca_host' using the icinga2 ticket mechanism.
 #              In case the 'ticket_salt' has been configured the ticket_id will be generated