Enable TLSv1

TLSv1 and TLSv1.1 are disabled by default in PE.

You must enable TLSv1 to install agents on these platforms:

  • AIX

  • CentOS 5

  • RHEL 5

  • SLES 11

  • Solaris 10, 11

  • Windows Server 2008 R2

To comply with security regulations, PE 2019.1 and later uses only version 1.2 of the Transport Layer Security (TLS) protocol.

CAUTION: For nodes that use TLSv1, using a script to install or upgrade agents can fail if the curl version installed on the node uses OpenSSL earlier than version 1.0. This issue produces an SSL error during any curl connection to the primary server. As a workaround, add --ciphers AES256-SHA to ~/.curlrc so that curl calls always use an appropriate cipher.
  1. In the console, click Node groups > PE Infrastructure.
  2. On the Configuration data tab, add the following class, parameter, and value:
    Class Parameter Value
    puppet_enterprise::master::puppetserver ssl_protocols ["TLSv1", "TLSv1.1", "TLSv1.2"]
  3. Click Add data, and commit changes.
  4. Run Puppet on the primary server and any compilers.