1

How do I configure a Windows server to be a Puppet Agent server?

I am running Puppet Enterprise 4.x on CentOS 7 and Puppet Agent 3.7.4 on Windows Server 2012. I am trying to set this up for the first time. I know that there are no ports being blocked from the Puppet Master server to the Puppet Agent server.

When I run the puppet agent -t x.x.x.x command (from a Windows PowerShell window opened as administrator), I get this error:

Warning: Unable to fetch my node definition... x.x.x.x did not match server certificate...Failed to generate additional resources using 'eval_generate' ... did not match server certificate: expected one of ...

The puppet.conf file looked fine. On the Puppet Master server I ran "puppet cert list --all" shows the Puppet agent server has been signed.

I can ping the Puppet Agent server from the Puppet Master. I can ping the Puppet Master server from the Puppet Agent. The GUI of Puppet shows a message "Run Puppet has been disabled because Node Manager cannot connect to ."

Why do I get the error above when I run the Puppet agent command?

Kiran
  • 67
  • 4
  • 10

2 Answers2

2

puppet relies on SSL certificates. If you query your puppetmaster via its IP, certificate verification will fail.

On your puppetmaster, run hostname -f.

On your Windows server, make sure you can resolve that name. Eventually, define some DNS record.

From there, you should be able to run puppet agent, against your puppetmaster's fully qualified domain name. Never its IP.

SYN
  • 1,751
  • 8
  • 14
  • I have a local hosts file on the Windows server that resolves the FQDN of the Puppet Master server. I can ping the FQDN of the Puppet Master server. I reinstalled Puppet Agent to make sure it was configured to use the FQDN of the Puppet Master and not the IP address. The problem remains. – Kiran Nov 10 '16 at 12:51
  • Really? Still saying `Unable to fetch my node definition... x.x.x.x did not match server certificate`? If so, you should look for your puppetmaster's certificate CN (may vary depending on your server's version and configuration, .... wild guessing somewhere in /var/lib/puppet/ssl/certs/). Having located the right pem file, run `openssl x509 -text -noout -in $certfile | grep Subject:` – SYN Nov 11 '16 at 02:21
  • I can no longer reproduce the problem. – Kiran Nov 11 '16 at 02:37
0

A user running without administrative context is going to rerequest a certificate. Always make sure you are opening an administrative command line (elevated command line), opening a command line from an administrator account is not simply enough.

See https://docs.puppet.com/puppet/4.5/reference/services_agent_windows.html#running-puppet-agent-on-demand and https://docs.puppet.com/pe/latest/troubleshooting_windows.html#error-messages for more details.

You may have inadvertently created the original certificate without admin privileges and now it is running into issues when attempting to run under administrative credentials. A certificate will only be generated once for an FQDN, but typically the Puppet Agent service will do it immediately after install provided it can connect to the proper Puppet master server.

ferventcoder
  • 347
  • 3
  • 4
  • 12