puppet not signing cert or getting new requests
Any open signing requests should be listed in puppet cert list
on the master. If they don't show up there, there's no use trying to sign them. Once signed, they disappear from the list and will only show up in puppet cert list --all
.
It appears your master is not receiving signing requests from the agent, since your list is empty There is a number of things that could be wrong. Let's start with these:
- Is the master running?
- Does the hostname 'puppet' or 'puppet.abc.com' resolve from the agent?
- Is TCP port 8140 on the master reachable from the agent (try:
telnet puppet 8140
)? - What does syslog on the agent say?
- Try
puppet agent --test
on the agent, which will attempt to connect to the master and stay in foreground to show the output.
Related videos on Youtube
Spechal
Day: DevOps stuff Night: Netflix and DevOps stuff Fun: Everything else You are not what you think you are, but who you are. You are who you are no matter where you are. Knowledge is power and power is dangerous; weld it carefully and with tact.
Updated on September 18, 2022Comments
-
Spechal over 1 year
I am not sure how to word the question, so here is the problem:
I have a brand new install of puppet-server and puppet using v2.6.16 and running on 2 nodes (puppet and puppet-agent, respectively) following the steps at http://docs.puppetlabs.com/guides/installation.html for a Linux box (CentOS).
On the puppet[-server] box, I issue
puppetca -la
and get back:+ puppet (DB:50:1B:37:47:78:DA:F2:69:28:B7:E2:22:1B:C5:28) (alt names: DNS:puppet, DNS:puppet.abc.com)
(note that puppet-agent is not listed) ... also, no puppet instances are listed with
puppet cert list
When signing the box with
puppetca --sign puppet
, I get:err: Could not call sign: Could not find certificate request for puppet
Same with
puppetca --sign puppet.abc.com
There is a puppet.pem in the private_keys and certs directory. The certificate_requests directory is empty. Auto-signing is off.
I'd be happy to supply any additional information and would appreciate any assistance.
The puppet.conf on both machines is as follows, sans comments:
[main] logdir = /var/log/puppet rundir = /var/run/puppet vardir = /var/lib/puppet factpath = $vardir/lib/facter ssldir = $vardir/ssl server = puppet.abc.com dns_alt_names = puppet, puppet.abc.com pluginsync = true [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig [master] templatedir = var/lib/puppet/templates
EDIT DUE TO COMMENTS
- Master is running
- Agent can contact master via hostname
- Agent CANNOT telnet to 8140 on master -- master is listening on 0.0.0.0:8140 with iptables and selinux off
- May 14 13:40:13 puppet-agent puppet-agent[25920]: (/File[/var/lib/puppet/lib]) Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed May 14 13:40:13 puppet-agent puppet-agent[25920]: (/File[/var/lib/puppet/lib]) Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://puppet.abc.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed May 14 13:40:14 puppet-agent puppet-agent[25920]: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
- puppet agent --test yields: dnsdomainname: Unknown host info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://puppet.abc.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed dnsdomainname: Unknown host err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run May 14 13:40:14 puppet-agent puppet-agent[25920]: Using cached catalog
- netstat produces ruby/puppet in a LISTEN state and the agent in a TIME_WAIT
-
Atulmaharaj about 12 yearsMy advice, forget about the puppetca commands. That's old stuff and will just confuse the issue. Modern versions of Puppet, such as the one you're using, do everything via
puppet
subcommands, such aspuppet cert
. Seepuppet help
for the list of available commands.
-
Spechal about 12 yearsAdjusted question with results of your comments. Thanks!
-
Spechal about 12 yearsResolved the issue with troubleshooting steps above ... giving answer. Thanks!
-
Satish over 11 yearspuppet cert is highly depend on DNS (FQDN). So make sure you have proper DNS entry and PTR entry.