1

I have a puppetmaster server and four puppet agent clients. Here I'm attaching my puppet.conf files and hosts in all node. When I call 'puppet cert list' it returns nothing.

But, when called with --all flags it returns the certificate of its own.

I can able to ping puppet, puppetmaster from all agents. 'puppet agent --test' on agents gives the following, Exiting; no certificate found and waitforcert is disabled

How can I get the certificate requests to master from agents. Can anyone give me a solution to this problem? [1] puppet.conf https://drive.google.com/file/d/0ByrsDKrxH15uaThvQm9VRHBtaTg/view?usp=sharing

[2]hosts https://drive.google.com/file/d/0ByrsDKrxH15uVktSYmhDN1NHaGc/view?usp=sharing

Fasna
  • 135
  • 1
  • 5
  • Could you run the following command in she shell of your puppet client(s) and post back the result. dig puppet.example.com +short – Nikolas Sakic Mar 10 '15 at 06:59
  • It returns nothing – Fasna Mar 10 '15 at 07:04
  • That is your problem. You are using 'puppet.example.com' as your puppet server, when you can't even resolve puppet.example.com. 'example.com' is an external domain, as soon as your try to access exmaple.com, your DNS client try to resolve it. Why are you using blablabla.example.com??? Why not use IP address of your puppet server in your configuration? – Nikolas Sakic Mar 10 '15 at 07:12
  • What version of puppet client are you using? You can either delete the certificate (delete 'ssl' directory and all its sub-directories on puppet client. Then start your puppet client again, it will re-create the certificate. Or you can uninstall, rei-install and change your puppet server address and then run the puppet client. – Nikolas Sakic Mar 10 '15 at 07:14
  • Clients and server both are version 3.7.4, I've deleted the ssl directories and edited the puppet.conf files and still the same thing happens in clients. I mean, it still produce the four lines `root@mgt2:~# puppet agent --no-daemonize --verbose --waitforcert 2 Info: Creating a new SSL key for mgt2.private.wso2.com Info: Caching certificate for ca Info: Caching certificate_request for mgt2.private.wso2.com Info: Caching certificate for ca Notice: Did not receive certificate` – Fasna Mar 10 '15 at 07:27
  • on puppet server you do not see any request to sign the certs? – Nikolas Sakic Mar 10 '15 at 08:00
  • nope, no requests – Fasna Mar 10 '15 at 08:04
  • What is the output on puppetmater when you do this: puppet cert list --all – Nikolas Sakic Mar 10 '15 at 08:04
  • root@puppet:~# puppet cert list --all `+ "puppet.example.com" (SHA256) 76:6E:B8:17:92:50:E6:6C:CD:C5:B4:C2:54:07:11:D4:29:14:00:CD:AA:87:E2:3F:9C:6F:D0:22:A6:F4:F5:13 (alt names: "DNS:puppet", "DNS:puppet.example.com", "DNS:puppetmaster01", "DNS:puppetmaster01.example.com")` – Fasna Mar 10 '15 at 08:23
  • yeah, no certificate is there to sign. It means you puppet client never found your puppet server. – Nikolas Sakic Mar 10 '15 at 08:31
  • Yeah, I can ping from client to server and server to client. But, how can I make sure that client is not finding the server. How to make it happen? – Fasna Mar 10 '15 at 08:36
  • I think you should wipe the whole thing clean. This 'example.com' domain was a terrible idea. Uninstall everything, make sure your host are not using external domains. install puppet server and then puppet master from scratch. You can test by having master and client on the same machine. – Nikolas Sakic Mar 10 '15 at 22:11
  • What is the output of `puppet agent --configprint server`? The exact string that is returned must resolve to an IP on your master node, through which the master service is reachable. – Felix Frank Mar 13 '15 at 11:27
  • Please add the content of the `puppet.conf` file to the question. – 030 Mar 14 '15 at 18:57

2 Answers2

1

The first time you run:

puppet agent -t

on a new puppet client, it creates a certificate request which is sent to the puppet master (as configured in the client's /etc/puppet/puppet.conf).

Then, on the puppet master you should run:

puppet cert list

Identify the relevant certificate and then sign it:

puppet cert sign hostname_of_puppet_client

Make sure that the certificate request which is created in the puppet master is identified by a the puppet client's hostname rather than IP cause otherwise it may cause you problems in the future.

Also, make sure that the time on both puppet master and client is sync'ed.

After the certificate is signed properly in the puppet master, you should run again on the client:

puppet agent -t

Then, the client should download puppet catalog and run the tasks.

Itai Ganot
  • 10,424
  • 27
  • 88
  • 143
0

When I encountered this I had to restart the puppet master (had to kill the process). I don't know yet why it helped, but perhaps there is some sort of cache in the master for hosts who were signed already (in my case it happened when i wanted to regenerate the certificate for a host)

user313503
  • 1