I've migrated from puppet master on Apache/passenger to pupetmaster. As a result my puppet agents aren't getting any CSR extensions which were served by puppet master behind Apache.
I'm able to see those extensions on master using puppet cert print <agent's fqdn>:
X509v3 extensions:
Netscape Comment:
.(Puppet Ruby/OpenSSL Internal Certificate
Puppet Node Role Name:
..ci_server
But on the node those extensions aren't available:
root#jenkins:~# puppet apply -e 'notify { "${trusted['extensions']}": }'
Notice: Compiled catalog for jenkins in environment production in 0.02 seconds
Notice: {}
Notice: /Stage[main]/Main/Notify[{}]/message: defined 'message' as '{}'
Notice: Applied catalog in 0.23 seconds
On both machines, agent and master, I'm using puppet 5.5.2. What should I do to force puppetserver to serve CSR extensions data to agents?
Related
I am using the following Puppet version on CentOS Linux release 7.2:
# puppetserver -v
puppetserver version: 2016.5.0.11
I have a Win agent node and i might have few more later. Agent version on Win node:
C:\Windows\system32>puppet --version
4.8.1
I would like to disable the agent runinterval permanently so i can only push from my Puppet server when required. I saw few links and tried putting the following line in Puppet server's /etc/puppetlabs/puppet/puppet.conf file. I also restarted the server but still the agent is fetching the catalog.
[agent]
daemonize=false
I would also like to know whether it's possible to disable runinterval only on specific nodes. If yes, how?
What you are basically looking at doing is stopping the Puppet service. This is accomplished most easily with a puppet service resource:
service { 'puppet':
ensure => stopped,
enable => false,
}
To do this only on certain nodes, merely supply it for the corresponding node definitions in your classifier or main site manifest:
node /ones_to_disable/ {
service { 'puppet':
ensure => stopped,
enable => false,
}
}
This is the easy and common method for accomplishing push-style Puppet and disabling pull-style.
If you want to disable Puppet agent on given node you have to use this command: puppet agent --disable. You can specify a reason, why you are disabling agent on given node. The message that you could supply will be printed next time someone will type puppet agent on node.
I am trying to setup puppet master and puppet agent in aws ec2 instances-linux ami. when i run my puppet agent to generate the certificate for the master to sign i encounter the below error.
Puppet Master:
[root#ip-10-**-*-*** /]# sudo yum install puppet-server
[root#ip-10-**-*-*** /] sudo service puppetmaster start
Starting puppetmaster: [ OK ]
Puppet Agent:
[root#ip-10-**-*-*** /]# sudo yum install puppet
[root#ip-10-**-*-*** /]
File excerpt /etc/puppet/puppet.conf
[main]
server = hostname
[root#ip-10-**-*-*** /] sudo service puppet start
Starting puppet: [ OK ]
[root#ip-10-**-*-*** /]# puppet agent -t
info: Creating a new SSL key for ip-10-**-*-***.dev.abc.net
info: Caching certificate for ca
info: Creating a new SSL certificate request for ip-10-**-*-***.dev.abc.net
info: Certificate Request fingerprint (md5): C2:F0:B1:2C:19:39:9E:D6:39:24:18:28
Exiting; no certificate found and waitforcert is disabled
Puppet Master:
[root#ip-10-**-*-*** /]# puppet cert list
"ip-10-**-*-***.dev.abc.net" (C2:F0:B1:2C:19:39:9E:D6:39:24:18:28:F6:DA:5D:FE)
[root#ip-10-**-*-*** /]# puppet cert sign ip-10-**-*-***.dev.abc.net
notice: Signed certificate request for ip-10-**-*-***.dev.abc.net
notice: Removing file Puppet::SSL::CertificateRequest ip-10-**-*-***.dev.abc.net at '/var/lib/puppet/ssl/ca/requests/ip-10-**-*-***.dev.abc.net.pem'
Puppet Agent:
[root#ip-10-**-*-*** /]# puppet agent -t
info: Caching certificate for ip-10-**-*-***.dev.abc.net
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ip-10-**-*-***.dev.abc.net]
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ip-10-**-*-***.dev.abc.net]
Can anyone please help me resolve this issue.
Yes, I know this is an old post. It still needs an answer, as I am having the same issue -- been working it for a few weeks now. I cannot guarantee yet that mine is working correctly all the time. Here are some steps I have taken. I hope they are helpful to others.
I am running Puppet Enterprise 2018.1.4. Puppet Agent 5.5.6 on RHEL 7.4.
1) The SSL routine uses a time stamp. Ensure the time is the same between Master & Client.
2) clean/remove the agent cert from the Master AND the Client. On my RHEL, the Client cert is is in /etc/puppetlabs/puppet/ssl/* -- remove any files with the agent name in here.
3) Make sure your puppet enabled on your agent: puppet agent --enable
4) If a client does not contact the puppet master "for a while" the master will drop the client from it's node list, but NOT remove the cert. In theory, the master SHOULD return the node to an active status.
5) Can you run the puppet agent on the master & get the expected results? If not -> problem with puppet code, otherwise, problem with agent.
6) Is puppet.conf configured correctly? Under the [main] section, do you have the server entry correct? Under [agent] are you set to the correct environment? Is noop set to true?
7) It is possible that you have an error in a puppet module that is causeing the agent to exit quietly. Run puppet parser validate on all of your .pp files
8) Can the master resolve the IP address of the master and the client? Can the client resolve the the IP address of the master and the client? Is resolv.conf set correctly on both hosts?
9) hostnames of the client & master should be correct. Each server should know it's shortname, FQDN and IP. On RHEL, I run: hostname; hostname -f; and hostname -i, respectively.
10) File permissions on all the directories & modules should be correct. Check out a working module, see it's owner, group & permissions. Ensure your module is the same.
11) Only root/admin can correctly run puppet agent.
12) On RHEL, the logs are under /var/log/puppet. Do you see any errors there?
13) run puppet agent with the --debug or the --trace option in addition to -t. Pipe this output to a file and see if you can spot any errors.
14) Can you force the master to run the puppet agent on the client successfully?
Many of these things have been narrowing down my issue. I don't know yet if it is fixed, as It takes a while for a node to drop out. Hopefully these will fix your issue.
Puppet Enterprise appeared to be installed on my ubuntu 14.04 server:
root#puppet:/# puppet --version
3.8.5 (Puppet Enterprise 3.8.4)
However, the puppet service is not running:
root#puppet:/# service puppet status
puppet: unrecognized service
The Puppet server seems to be working as well, as I can execute following command on the puppet master:
root#puppet:/# puppet resource package nginx
package { 'nginx':
ensure => '1.4.6-1ubuntu3.4',
Puppet cert list is empty as well even after running 'puppet agent -t' on a node:
root#puppet:/# puppet cert list
root#puppet:/#
The puppet service is called pe-puppet and not puppet on PE 3.x.
puppet cert list only displays the outstanding cert requests. You want puppet cert list --all to display the signed certs. https://docs.puppet.com/puppet/latest/reference/man/cert.html
service puppetmaster status
this will show the status of the puppet on the master machine
service puppet status
this will show the status on the slave/agent machine
How can I check if my puppet set-up (one master, one agent on Ubuntu 14.04 ) is configured correctly? Is there some command to verify if everything is right?
If you want to know, whether the puppet agent can connect to the puppet master and pull the configs. You can try running the agent in dry-run mode:
puppet agent -t --noop
For more details: https://docs.puppet.com/puppet/latest/reference/man/agent.html
Note: You may need to sign the puppet agent cert on the master, if you don't have auto signing enabled.
We have several servers working with puppet as agents today, but I'm having a problem with a new server running CentOS 7. Normally I would update the /etc/sysconfig/puppet file with the puppet master name and then start the daemon and move to signing the certificate on the master. However, puppet agent doesn't appear to be reading the server = myhost.domain in my config file.
I get the following error in /var/log/messages:
puppet-agent[11133]: Could not request certificate: getaddrinfo: Name or service not known
I tried:
myserver:root$ puppet agent --configprint server
puppet
myserver:root$
but the /etc/sysconfig/puppet file has:
PUPPET_SERVER=myserver.domain.com
Can you please help me understand why puppet agent doesn't get the server from the config file?
The /etc/sysconfig/puppet file is not typically read by the Puppet agent. (I'm not very familiar with CentOS operations, but I suppose that this location might hold some settings that are external to the process, such as environment, command line switches etc.)
You will want to use the proper puppet configuration file:
/etc/puppet/puppet.conf for Puppet 3.x and earlier
/etc/puppetlabs/puppet.conf for Puppet 4.x
so ran the following:
"puppet agent --no-daemonize --verbose --onetime --server puppetmaster.xxx.com"
this started puppet properly, requested certificate and I was able to sign on master. Then added:
server = puppetmaster.xxx.com
to /etc/puppet/puppet.conf and "systemctl restart puppet"
and it worked. Thanks for posts here and other places.