I have setup Puppet server on CentOS Linux 7 (Core).
# /opt/puppetlabs/bin/puppetserver --version
puppetserver version: 2016.5.0.11
I have installed Enterprise Puppet agent on Win Server 2008 R2 Enterprise (64-bit).
C:\Users\Administrator>puppet --version
4.8.1
When i try connecting to the Puppet server, i get only the following output:
C:\Windows\system32>puppet agent --test
Exiting; no certificate found and waitforcert is disabled
On server, if i check for any pending cert signing request, i see nothing:
# puppet cert --list
I have verified that i am able to telnet to Puppet server on port 8140 from my Win agent box.
Also shown below is the Puppet service running as Local System user.
My Puppet server has the following entry in /etc/puppetlabs/puppet/puppet.conf
[main]
certname = gc.abc.com
server = gc.abc.com
user = pe-puppet
group = pe-puppet
environment_timeout = 0
app_management = true
module_groups = base+pe_only
environmentpath = /etc/puppetlabs/code/environments
codedir = /etc/puppetlabs/code
[agent]
graph = true
[master]
node_terminus = classifier
storeconfigs = true
storeconfigs_backend = puppetdb
reports = puppetdb
certname = gc.abc.com
always_cache_features = true
On Win agent, i have specified the Puppet server name in host file:
xx.yy.zz.zzz puppet-server
On Win agent, I have also mentioned the server name in C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf file
[main]
server=puppet-server
autoflush=true
environment=production
Any pointers?
From IRC (#binford2k), i got the following suggestion:
"Exiting; no certificate found and waitforcert is disabled" means that the client has already generated a CSR. If it's got a CSR, then it won't try to generate another. However, if somehow the CSR didn't make it to the master, then the master won't know about it and the agent won't try again because it's got a CSR already. To resolve the above, remove the SSL dir on the agent and then try running puppet again.
When i removed the SSL dir (C:\ProgramData\PuppetLabs\puppet\etc\ssl) as per above suggestion and ran puppet command again, it worked. :)
C:\Windows\system32>puppet agent --test --server=puppet-server
Info: Creating a new SSL key for gc.abc.com
Info: Caching certificate for ca
Info: csr_attributes file loading from C:/ProgramData/PuppetLabs/puppet/etc/csr_
attributes.yaml
Info: Creating a new SSL certificate request for gc.abc.com
Info: Certificate Request fingerprint (SHA256): 99:02:46:D1:A4:32:6F:A5:CE:06:39
:3E:A4:35:D2:88:C1:9A:D1:2E:58:27:B0:ED:24:F9:DC:77:D9
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
Related
I am trying to set up Puppet for DevOps. I have puppet server in Ubuntu 14.04 and puppet-agent in Windows 10. When I am generating certificate for the first time from puppet-agent (Windows 10) the SSL certficate is generating without any issues and even I can sign the same certificate from puppetserver (Ubuntu 14.04), however after signing when I am trying to update the status in puppet-agent (Windows 10) by "puppet agent -t" getting error as,
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=username-virtualbox.domain.com]
The puppet configuration file details:
puppet.config (puppetserver [Ubuntu]):
Troubleshooting steps already tried,
Time zone in both the environments are in sync
Deleted "ssl" folders containing the details of the ssl certificates from both the environments several times and re-tried
8140 ports are enabled on both Windows and Ubuntu
I faced the same problem,
Try to run cmd as admin
I am having the same issue -- been working it for a few weeks now. I cannot guarantee yet that mine is working correctly all the time. Here are some steps I have taken. I hope they are helpful to others.
I am running Puppet Enterprise 2018.1.4. Puppet Agent 5.5.6 on RHEL 7.4.
1) The SSL routine uses a time stamp. Ensure the time is the same between Master & Client.
2) clean/remove the agent cert from the Master AND the Client. On my RHEL, the Client cert is is in /etc/puppetlabs/puppet/ssl/* -- remove any files with the agent name in here.
3) Make sure your puppet enabled on your agent: puppet agent --enable
4) If a client does not contact the puppet master "for a while" the master will drop the client from it's node list, but NOT remove the cert. In theory, the master SHOULD return the node to an active status.
5) Can you run the puppet agent on the master & get the expected results? If not -> problem with puppet code, otherwise, problem with agent.
6) Is puppet.conf configured correctly? Under the [main] section, do you have the server entry correct? Under [agent] are you set to the correct environment? Is noop set to true?
7) It is possible that you have an error in a puppet module that is causeing the agent to exit quietly. Run puppet parser validate on all of your .pp files
8) Can the master resolve the IP address of the master and the client? Can the client resolve the the IP address of the master and the client? Is resolv.conf set correctly on both hosts?
9) hostnames of the client & master should be correct. Each server should know it's shortname, FQDN and IP. On RHEL, I run: hostname; hostname -f; and hostname -i, respectively.
10) File permissions on all the directories & modules should be correct. Check out a working module, see it's owner, group & permissions. Ensure your module is the same.
11) Only root/admin can correctly run puppet agent.
12) On RHEL, the logs are under /var/log/puppet. Do you see any errors there?
13) run puppet agent with the --debug or the --trace option in addition to -t. Pipe this output to a file and see if you can spot any errors.
14) Can you force the master to run the puppet agent on the client successfully?
Many of these things have been narrowing down my issue. I don't know yet if it is fixed, as It takes a while for a node to drop out. Hopefully these will fix your issue.
Hope it helps. There are LOTS of things that could be going wrong.
I am trying to setup puppet master and puppet agent in aws ec2 instances-linux ami. when i run my puppet agent to generate the certificate for the master to sign i encounter the below error.
Puppet Master:
[root#ip-10-**-*-*** /]# sudo yum install puppet-server
[root#ip-10-**-*-*** /] sudo service puppetmaster start
Starting puppetmaster: [ OK ]
Puppet Agent:
[root#ip-10-**-*-*** /]# sudo yum install puppet
[root#ip-10-**-*-*** /]
File excerpt /etc/puppet/puppet.conf
[main]
server = hostname
[root#ip-10-**-*-*** /] sudo service puppet start
Starting puppet: [ OK ]
[root#ip-10-**-*-*** /]# puppet agent -t
info: Creating a new SSL key for ip-10-**-*-***.dev.abc.net
info: Caching certificate for ca
info: Creating a new SSL certificate request for ip-10-**-*-***.dev.abc.net
info: Certificate Request fingerprint (md5): C2:F0:B1:2C:19:39:9E:D6:39:24:18:28
Exiting; no certificate found and waitforcert is disabled
Puppet Master:
[root#ip-10-**-*-*** /]# puppet cert list
"ip-10-**-*-***.dev.abc.net" (C2:F0:B1:2C:19:39:9E:D6:39:24:18:28:F6:DA:5D:FE)
[root#ip-10-**-*-*** /]# puppet cert sign ip-10-**-*-***.dev.abc.net
notice: Signed certificate request for ip-10-**-*-***.dev.abc.net
notice: Removing file Puppet::SSL::CertificateRequest ip-10-**-*-***.dev.abc.net at '/var/lib/puppet/ssl/ca/requests/ip-10-**-*-***.dev.abc.net.pem'
Puppet Agent:
[root#ip-10-**-*-*** /]# puppet agent -t
info: Caching certificate for ip-10-**-*-***.dev.abc.net
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ip-10-**-*-***.dev.abc.net]
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ip-10-**-*-***.dev.abc.net]
Can anyone please help me resolve this issue.
Yes, I know this is an old post. It still needs an answer, as I am having the same issue -- been working it for a few weeks now. I cannot guarantee yet that mine is working correctly all the time. Here are some steps I have taken. I hope they are helpful to others.
I am running Puppet Enterprise 2018.1.4. Puppet Agent 5.5.6 on RHEL 7.4.
1) The SSL routine uses a time stamp. Ensure the time is the same between Master & Client.
2) clean/remove the agent cert from the Master AND the Client. On my RHEL, the Client cert is is in /etc/puppetlabs/puppet/ssl/* -- remove any files with the agent name in here.
3) Make sure your puppet enabled on your agent: puppet agent --enable
4) If a client does not contact the puppet master "for a while" the master will drop the client from it's node list, but NOT remove the cert. In theory, the master SHOULD return the node to an active status.
5) Can you run the puppet agent on the master & get the expected results? If not -> problem with puppet code, otherwise, problem with agent.
6) Is puppet.conf configured correctly? Under the [main] section, do you have the server entry correct? Under [agent] are you set to the correct environment? Is noop set to true?
7) It is possible that you have an error in a puppet module that is causeing the agent to exit quietly. Run puppet parser validate on all of your .pp files
8) Can the master resolve the IP address of the master and the client? Can the client resolve the the IP address of the master and the client? Is resolv.conf set correctly on both hosts?
9) hostnames of the client & master should be correct. Each server should know it's shortname, FQDN and IP. On RHEL, I run: hostname; hostname -f; and hostname -i, respectively.
10) File permissions on all the directories & modules should be correct. Check out a working module, see it's owner, group & permissions. Ensure your module is the same.
11) Only root/admin can correctly run puppet agent.
12) On RHEL, the logs are under /var/log/puppet. Do you see any errors there?
13) run puppet agent with the --debug or the --trace option in addition to -t. Pipe this output to a file and see if you can spot any errors.
14) Can you force the master to run the puppet agent on the client successfully?
Many of these things have been narrowing down my issue. I don't know yet if it is fixed, as It takes a while for a node to drop out. Hopefully these will fix your issue.
Puppet Enterprise appeared to be installed on my ubuntu 14.04 server:
root#puppet:/# puppet --version
3.8.5 (Puppet Enterprise 3.8.4)
However, the puppet service is not running:
root#puppet:/# service puppet status
puppet: unrecognized service
The Puppet server seems to be working as well, as I can execute following command on the puppet master:
root#puppet:/# puppet resource package nginx
package { 'nginx':
ensure => '1.4.6-1ubuntu3.4',
Puppet cert list is empty as well even after running 'puppet agent -t' on a node:
root#puppet:/# puppet cert list
root#puppet:/#
The puppet service is called pe-puppet and not puppet on PE 3.x.
puppet cert list only displays the outstanding cert requests. You want puppet cert list --all to display the signed certs. https://docs.puppet.com/puppet/latest/reference/man/cert.html
service puppetmaster status
this will show the status of the puppet on the master machine
service puppet status
this will show the status on the slave/agent machine
I recently installed the foreman on a server and I want to add an existing VM as a host in foreman, but it seems that I can't achieve this through the GUI. The only option I have found is to add a NEW host, not an existing one. My VM wasn't registered with a puppet master either. Do I need to install puppet on my VM and add it manually to the puppet master that foreman includes? Is there a simpler way to do this with foreman's GUI?
I've only been able to accomplish this by manually configuring the host.
On your VM
First install puppet on the host ( EL Example ):
yum install puppet -y
Next you will want to configure the host's puppet.conf to point to your Foreman server as the Puppet master.
NOTE: Replace foreman-hostname.domain.com with the FQDN of your Foreman server.
NOTE: The line certname =hostname` assumes your hostname is set properly on your VM.
Run this to create the puppet config:
echo "Configuring puppet"
cat > /etc/puppet/puppet.conf << EOF
[main]
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = \$vardir/ssl
[agent]
pluginsync = true
report = true
ignoreschedules = true
daemon = false
ca_server = foreman-hostname.domain.com
certname = `hostname`
environment = production
server = foreman-hostname.domain.com
EOF
Configure your server to start puppet agent on reboot ( EL Example ):
chkconfig puppet on
Check in with the puppet master you just configured and generate certs etc:
/usr/bin/puppet agent --config /etc/puppet/puppet.conf -o --tags no_such_tag --server foreman-hostname.domain.com --no-daemonize
On the Foreman Server
Under smart proxies select certificates.
The click sign by your host and your host should be added!
Run puppet agent -t again, and it should check in.
Please understand this does not give Foreman control of your VM in terms of sending delete commands to the hypervisor and stuff. This just enables control of Puppet and adding the VM to hostgroups.
This process should be pretty easy automate too!
I am trying to get my hands with puppet. I boot up 2 VM both running on linuxmint 17. I intended one as puppetmaster and one as puppetclient. I am follow this guide https://help.ubuntu.com/12.04/serverguide/puppet.html
in /etc/hostname
in /etc/hosts
master:
127.0.0.1 localhost /// no chance
127.0.1.1 puppetmaster //
192.168.75.141 puppetclient //this client's ip address after nm-tool search.
client:
127.0.0.1 localhost
127.0.1.1 puppetclient
192.168.75.142 puppetmaster // this is the master's ip address
In both client and master I created a file in etc/puppet/manifests/site.pp
package {
'apache2':
ensure => installed
}
service {
'apache2':
ensure => true,
enable => true,
require => Package['apache2']
}
In master I created a file in /etc/puppet/manifests/nodes.pp
node 'meercat02.example.com' {
include apache2
}
In client I create a file /etc/default/puppet and put START=yes.
Here's what I think there's a problem. In the guide, the file should already exist but in my case I have to create it.
So then I followed everything in the guide to sign the client certificate. I typed in sudo puppetca --sign puppetclient in puppetmaster's terminal . That didn't work and I found the solution in another post. https://serverfault.com/questions/457349/installed-puppetmaster-but-why-do-i-get-puppetca-command-not-found. So after reading the post I typed sudo puppet cert list --sign 'puppetclient'. Then it gives me this
Notice: Signed certificate request for ca
Error: Could not find certificates request for list
After the first five pages of google search I end up here asking for help. =) Anyone can help me resolve this issue? Thanks.
You cannot sign a certificate before there is a certificate request.
You have to establish the agent/master communication first.
Find out the certificate name of your master
puppet master --configprint certname
On the agent node, make sure that name resolves to the master's IP address (you currently used puppetmaster for this, which might suffice).
Send the initial request to the master
Do this on the agent node.
puppet agent --test --master=<name you just registered>
The agent generates a CSR, and prints a message that it could not receive a certificate.
Sign the certificate
On the master:
puppet cert list
Locate the CSR of your agent, then
puppet cert sign <agent>
The next puppet agent --test call will receive the certificate.
Try this
puppet agent --test master="name you just register"
its work for me.