PuppetDB in Debian ================== 1. Differences from upstream PuppetDB ------------------------------------- - To comply with the Debian Policy Manual, PuppetDB's configuration is located under /etc/puppetdb, rather than /opt/puppetlabs/etc. - A number of puppetdb CLI commands are not supported: + puppetdb ssl-setup is not implemented, as it cannot run reliably on a Debian system. To set up TLS see the following section. + puppetdb migrate-config is not implemented, as - Automatic checks for newer upstream versions are disabled by default, as they are using a call-home HTTP request to request update availability. If you wish to re-enable it, set disable-update-checking = false in the [puppetdb] section of the config. 2. Setting up TLS ----------------- Out-of-the-box, PuppetDB will listen on localhost, port 8080 for plain HTTP requests. The puppet terminus requires HTTPS to work, with the Puppet master and PuppetDB performing mutual authentication via TLS. For this to work you will need to install a certificate issued by your Puppet CA; the easiest way to do so is to use the PuppetDB host's Puppet certificate, which on Debian systems can be found under /var/lib/puppet/ssl: - Copy the certificate and the corresponding private key over to /etc/puppetdb - Adjust the settings in /etc/puppetdb/conf.d/jetty.ini - Restart puppetdb Future versions of the package might attempt to do this semi-automatically during insstallation.