puppet not signing cert or getting new requests
Any open signing requests should be listed in puppet cert list on the master. If they don't show up there, there's no use trying to sign them. Once signed, they disappear from the list and will only show up in puppet cert list --all.
It appears your master is not receiving signing requests from the agent, since your list is empty There is a number of things that could be wrong. Let's start with these:
- Is the master running?
- Does the hostname 'puppet' or 'puppet.abc.com' resolve from the agent?
- Is TCP port 8140 on the master reachable from the agent (try:
telnet puppet 8140)? - What does syslog on the agent say?
- Try
puppet agent --teston the agent, which will attempt to connect to the master and stay in foreground to show the output.
Related videos on Youtube
07 : 02
02 : 26
07 : 12
05 : 35
02 : 22
Spechal
Day: DevOps stuff Night: Netflix and DevOps stuff Fun: Everything else You are not what you think you are, but who you are. You are who you are no matter where you are. Knowledge is power and power is dangerous; weld it carefully and with tact.
Updated on September 18, 2022Comments
-
Spechal over 1 year
I am not sure how to word the question, so here is the problem:
I have a brand new install of puppet-server and puppet using v2.6.16 and running on 2 nodes (puppet and puppet-agent, respectively) following the steps at http://docs.puppetlabs.com/guides/installation.html for a Linux box (CentOS).
On the puppet[-server] box, I issue
puppetca -laand get back:+ puppet (DB:50:1B:37:47:78:DA:F2:69:28:B7:E2:22:1B:C5:28) (alt names: DNS:puppet, DNS:puppet.abc.com)(note that puppet-agent is not listed) ... also, no puppet instances are listed with
puppet cert listWhen signing the box with
puppetca --sign puppet, I get:err: Could not call sign: Could not find certificate request for puppetSame with
puppetca --sign puppet.abc.comThere is a puppet.pem in the private_keys and certs directory. The certificate_requests directory is empty. Auto-signing is off.
I'd be happy to supply any additional information and would appreciate any assistance.
The puppet.conf on both machines is as follows, sans comments:
[main] logdir = /var/log/puppet rundir = /var/run/puppet vardir = /var/lib/puppet factpath = $vardir/lib/facter ssldir = $vardir/ssl server = puppet.abc.com dns_alt_names = puppet, puppet.abc.com pluginsync = true [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig [master] templatedir = var/lib/puppet/templatesEDIT DUE TO COMMENTS
- Master is running
- Agent can contact master via hostname
- Agent CANNOT telnet to 8140 on master -- master is listening on 0.0.0.0:8140 with iptables and selinux off
- May 14 13:40:13 puppet-agent puppet-agent[25920]: (/File[/var/lib/puppet/lib]) Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed May 14 13:40:13 puppet-agent puppet-agent[25920]: (/File[/var/lib/puppet/lib]) Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://puppet.abc.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed May 14 13:40:14 puppet-agent puppet-agent[25920]: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
- puppet agent --test yields: dnsdomainname: Unknown host info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://puppet.abc.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed dnsdomainname: Unknown host err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run May 14 13:40:14 puppet-agent puppet-agent[25920]: Using cached catalog
- netstat produces ruby/puppet in a LISTEN state and the agent in a TIME_WAIT
-
Atulmaharaj about 12 yearsMy advice, forget about the puppetca commands. That's old stuff and will just confuse the issue. Modern versions of Puppet, such as the one you're using, do everything via
puppetsubcommands, such aspuppet cert. Seepuppet helpfor the list of available commands.
-
Spechal about 12 yearsAdjusted question with results of your comments. Thanks!
-
Spechal about 12 yearsResolved the issue with troubleshooting steps above ... giving answer. Thanks!
-
Satish over 11 yearspuppet cert is highly depend on DNS (FQDN). So make sure you have proper DNS entry and PTR entry.
