puppet Forbidden request /puppet-ca/v1/certificate/ca - puppet

I'm not able to make a puppet node join a master, i'm using puppet enterprise on AWS cloud.
Master
puppetserver --version
puppetserver version: 2017.3.0.38
Node
# puppet agent --test
Error: Could not request certificate: Error 403 on SERVER: Forbidden request: /puppet-ca/v1/certificate/ca (method :get). Please see the server logs for details.
Exiting; failed to retrieve certificate and waitforcert is disabled
obviously error message is related to permission on master side, when i check the log on the master i see
ERROR [qtp2147089302-255] [p.t.a.rules] Forbidden request: 10.0.10.224 access to /puppet-ca/v1/certificate/ca (method :get) (authenticated: false) denied by rule 'puppetlabs certificate'.
but i checked that the new HOCON format for auth.conf is allowing un authenticated node to send CSR
{
"allow-unauthenticated": "*",
"match-request": {
"method": "get",
"path": "/puppet-ca/v1/certificate/",
"query-params": {},
"type": "path"
},
"name": "puppetlabs certificate",
"sort-order": 500
}
i checked also that pe-puppet-server.conf is not using the legacy auth.conf method
# (optional) Authorize access to Puppet master endpoints via rules specified
# in the legacy Puppet auth.conf file (if true or not specified) or via rules
# specified in the Puppet Server HOCON-formatted auth.conf (if false).
use-legacy-auth-conf: false
max-active-instances: 2
max-requests-per-instance: 0
environment-class-cache-enabled: true
please advise, the same error msg occurs on both windows and linux

i did reboot the entire server(ec2 instance) since reloading puppetserver didn't help ... i also did the auth change from the console, as structed here
windows Puppet agent does not connect to the awsopsworks puppet Enterprise master

I had a similar issue when trying to setup my puppet nodes, but was using Vagrant instead of AWS.
The fix was to unset the following environment variables: http_proxy, https_proxy, HTTP_PROXY and HTTPS_PROXY.

My fix was to remove server_list from puppet.conf, cleanup CM cert and re-generate cert. In my case I have autosign=true so the process was:
Stop PE on CM:
systemctl stop puppet pxp-agent pe-puppetserver pe-puppetdb
Remove ssl dir
rm -fr /etc/puppetlabs/puppet/ssl
Cleanup cert from Primary:
puppetserver ca clean --certname='<CM>'
Run puppet agent on CM
puppet agent -t
Done.

Related

GitLab CE 15.7 / Docker registry with Self Signed Certificate.. not working

I want to use the Gitlab Docker registry. I am using GitLab CE 15.7
I created my own CA and signed a certificate. GitLab UI and GitLab runners are working fine!
When it comes to the Docker Registry I have some issues. I configured the gitlab.rb like this:
registry_external_url 'https://198.18.133.100:5000'
registry['enable'] = true
registry['username'] = "registry"
registry['group'] = "registry"
registry['registry_http_addr'] = "127.0.0.1:5000"
registry['debug_addr'] = "localhost:5001"
registry['env'] = {
'SSL_CERT_DIR' => "/etc/gitlab/ssl/"
}
registry['rootcertbundle'] = "/etc/gitlab/ssl/198.18.133.100.crt"
Which also confuses me are the options for registry and registry_nginx.
I am not sure if I configured it correctly and the documentation doesn't help me a lot. I didn't spin up any docker container for the registry or anything. I believe that this comes in the binary of the GitLab (if I am not mistaken). I port 5000 is available and I can telnet.
However, while pushing the image to the registry I get the following error:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://198.18.133.100:5000/v2/": x509: certificate signed by unknown authority
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit status 1
Any ideas? Thanks a lot!
I tried already quite a lot of different configs and reconfigured the gitlab server.
It has been fixed with copying the ca at the following path:
mkdir -p /etc/docker/certs.d/<your_registry_host_name>:<your_registry_host_port>
As well as the right config in the gitlab.rb
registry_nginx['enable'] = true
registry_nginx['listen_https'] = true
registry_nginx['redirect_http_to_https'] = true
registry_external_url 'https://registry.YOUR_DOMAIN.gtld'
Thanks all for your help!

Puppet7 agent can't find catalog from server

I'm learning Puppet now. Everything is new to me... After installed a puppet7 server and agent on my two learning VMs--
192.168.160.131 puppet-mst.eisen #The puppet server
192.168.160.140 sles12.eisen #The puppet agent
And I've successfully signed the node "sles12.eisen" to the server "puppet-mst.eisen" --
[root#puppet-mst manifests]# puppetserver --version
puppetserver version: 7.4.1
[root#puppet-mst manifests]# puppetserver ca list --all
Signed Certificates:
puppet-mst.eisen (SHA256) 0B:3F:DA:60:2F:2D:D3:91:94:58:E2:B6:32:28:50:8E:D4:1C:A0:8F:A0:CF:94:99:6E:EE:99:46:B4:1D:30:58 alt names: ["DNS:puppet-mst.eisen"] authorization extensions: [pp_cli_auth: true]
puppet-mst (SHA256) C8:89:47:D2:15:74:6E:49:E7:9A:27:B5:EA:10:9B:81:C4:DC:68:E8:B4:01:07:5D:63:34:5A:AF:B6:66:C9:EE alt names: ["DNS:puppet-mst"]
sles12.eisen (SHA256) C5:40:D7:8A:C6:64:BD:E8:BF:D3:BB:5D:01:24:66:03:57:96:84:31:84:42:DF:36:AA:D1:25:14:76:4D:A5:99 alt names: ["DNS:sles12.eisen"]
Then I wrote a testing module --filetest1, and hope it can put a file to the agent node in /tmp/puppettest --
[root#puppet-mst manifests]# cat /etc/puppetlabs/code/environments/production/modules/filetest1/manifests/init.pp
class filetest1{
file {'/tmp/puppettest/filetest1':
ensure => file,
content => 'Hello World!',
}
}
[root#puppet-mst manifests]# cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node 'sles12.eisen'{
include filetest1
}
But the "puppet agent --test" can't work, it's said it either server can't find agent node, or the test module's catalog is missing --
sles12:/tmp/puppettest # puppet --version
7.12.0
sles12:/tmp/puppettest # hostname -f
sles12.eisen
sles12:/tmp/puppettest # puppet agent --test --verbose
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed when searching for node sles12.eisen: Failed to find sles12.eisen via exec: Execution of '/etc/puppetlabs/puppet/node.rb sles12.eisen' returned 1:
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
I don't know what's wrong here. Please kind help. Thanks
Regards
Eisen
The error message suggests that you have configured Puppet to use an external node classifier (/etc/puppetlabs/puppet/node.rb), and either the attempt to execute it is failing altogether, or it is terminating with a failure status, or it is not outputting anything.
You may want to explore ENCs later, but now is probably not the time for that. To disable use of an ENC, edit /etc/puppetlabs/puppet/puppet.conf and either remove the node_terminus setting or change its value to plain.

Packages are installed in Puppet master are not installed in Puppet agent nodes

I am newbie to Puppet. As a learning path, I was trying to install a package nagios-common.I have used the below Puppet manifest to install the package.
class pckd {
package {'nagios-common':
ensure => present,
}
}
node default {
include pckd
}
Also i have applied puppet apply on the master node. This package is installed in master successfully.
Below is the /var/log.
labcluster01node01 puppet-agent[99575]: Could not request certificate: getaddrinfo: Temporary failure in name resolution
labcluster01node01 puppet-agent[99575]: Could not request certificate: getaddrinfo: Temporary failure in name resolution
labcluster01node01 puppet-agent[99575]: Could not request certificate: getaddrinfo: Temporary failure in name resolution
labcluster01node01 puppet-agent[99575]: Could not request certificate: getaddrinfo: Temporary failure in name resolution
labcluster01node01 nagios: Auto-save of retention data completed successfully.
labcluster01node01 puppet-agent[99575]: Could not request certificate: getaddrinfo: Temporary failure in name resolution
labcluster01node01 puppet-agent[99575]: Could not request certificate: getaddrinfo: Temporary failure in name resolution
I have applied puppet agent -t on the agent nodes and was unable to install the package on the agent node.This package is not installed in the agent node.Added to the above query, is there a time limit to which the package get reflected.
You are getting this error because your master and agent are having some issues with communication, try pinging master from slave and see.
It should work fine when you add FQDN of master to the \etc\hosts file of agent.

How do I run a Puppet Manifest on a Windows server with Puppet Agent?

I have done it in the past. I don't know why I cannot do it this way below. I am using CentOS 7 for the Puppet Master server. I am using Windows Server 2012 with Puppet Agent.
All the content below was taken from the Puppet Master server. Here is site.pp (which is in /etc/puppet/manifests):
node 'fqdnOfWindowsServer' { import 'good.pp'}
node 'fqdnOfLinuxServer' {}
Here is good.pp (which is in /etc/puppet/manifests):
file { 'c:/fun.ps1':
ensure => 'present',
source => '/tmp/special.ps1',
source_permissions => 'ignore',
}
Here is what happens when I run puppet agent -t:
...Caching catalog for fqdnOfLinuxServer... Error: Failed to apply
catalog: Parameter path failed on File[c:/fun.ps1]: File paths must be
fully qualified, not 'c:/fun.ps1' at /etc/puppet/manifests/good.pp:5
How do I input a fully qualified path? It seems to be having a problem with a Windows server as the Puppet Agent. Paths are different from Linux Puppet Agents.
From what I can make of the error message, you're trying to create a Windows file resource on a Linux server (the error mentions caching catalog for fqdnOfLinuxServer). If that's the case, the error message makes sense because on Linux, the agent expects file paths to start with a forward slash.

Puppet ignores my node.pp entry

My Puppet master and agent are on the same machine. The master node.pp file contains this:
node 'pear.myserver.com' {
include ntp
}
The ntp.pp file contains this:
class ntp {
package { "ntp":
ensure => installed
}
service { "ntp":
ensure => running,
}
}
The /etc/hosts file contains the line:
96.124.119.41 pear.myserver.com pear
I was able to successfully launch puppetmaster, but when I execute this, ntp doesn't get installed (it is not installed already, I checked).
puppet agent --test --server='pear.myserver.com'
It just reports this:
info: Caching catalog for pear.myserver.com
info: Applying configuration version '1387782253'
notice: Finished catalog run in 0.01 seconds
I don't know what else I could have missed. Can you please help? Note that I replaced the actual server name with 'myserver' for security reasons.
I was following this tutorial: http://bitfieldconsulting.com/puppet-tutorial
$puppet agent --test
This will fetch compiled catalog from Master puppet, which is in /etc/puppetlabs/puppet/manifests/site.pp and run locally.
$puppet apply /etc/puppet/modules/ntp/manifests/ntp.pp
Will apply locally

Resources