I have installed puppet agent (windows) and master successfully. When i download the node from agent it works fine (puppet agent -t ) and the nodes are pulled successfully.
But when i trigger the same from the puppet master, i get connection error as below.
Error: Host agent01 failed: Connection refused - connect(2)
I did a wireshark in agent machine and i could see the connection made to agent at port 8139 and is responded with a red ACK message.
Since the connection has reached the agent, am assuming agent rejected the connection. Could some one please help me fix this problem.
Puppet.conf at agent
[main]
server=puppetmaster.localsky.biz
autoflush=true
environment=production
pluginsync=true
listen = true
[agent]
auth.conf at agent:
path /
method find, search, save
auth yes
allow puppetmaster.localsky.biz
However, if i run puppet agent --no-daemonize --debug
from the Powershell console, the build gets pushed successsfully.
So the failure happens only if run the agent from Puppet Agent as windows service.
I landed up on the link below which says Kick is not possible for windows agents. Not sure how true this is...
https://ask.puppet.com/question/14234/port-8139-not-opened-when-running-as-a-windows-service/
Related
I have created the puppet master using aws opsworks. and I am able to add ami linux nodes automatically to the puppet master.
I am having issues when I tried to to add a windows 64 bit node to my puppet master by following this link https://puppet.com/docs/pe/2017.3/installing/installing_agents.html#install-windows-agents-with-the-msi-package
I copied the puppet-agent-x64.msi from the puppet master present in location to the windows node and /opt/puppetlabs/server/data/packages/public//windows-x86_64-/ and ran the installer to install the agent. the installation is successful and the Start Menu contains a Puppet folder with shortcuts for running the agent manually, running Facter, and opening a command prompt for use with Puppet tools.
But the windows node is not showing in puppet web ui and when i tried to run the puppet agent i get this error
"Running Puppet agent on demand ...
Error: Could not request certificate: Error 403 on SERVER: Forbidden request: /puppet-ca/v1/certificate/ca (method :get). Please see the server logs for details.
Exiting; failed to retrieve certificate and waitforcert is disabled
Press any key to continue . . ."
You'll need to set allow_unauthenticated_ca to true on your OpsWorks master and then run puppet on it to make the change. Afterwards, you should be able to install the agent even if you're not provisioning from AWS or choose not to use the userdata script.
Steps:
login to console.
click on classification
under PE infrastructure, select PE master.
Go to configuration tab
look for class puppet_enterprise::profile::master
under parameters, select allow_unauthenticated_ca and set it to true
Screenshot:
I am trying to set up Puppet for DevOps. I have puppet server in Ubuntu 14.04 and puppet-agent in Windows 10. When I am generating certificate for the first time from puppet-agent (Windows 10) the SSL certficate is generating without any issues and even I can sign the same certificate from puppetserver (Ubuntu 14.04), however after signing when I am trying to update the status in puppet-agent (Windows 10) by "puppet agent -t" getting error as,
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=username-virtualbox.domain.com]
The puppet configuration file details:
puppet.config (puppetserver [Ubuntu]):
Troubleshooting steps already tried,
Time zone in both the environments are in sync
Deleted "ssl" folders containing the details of the ssl certificates from both the environments several times and re-tried
8140 ports are enabled on both Windows and Ubuntu
I faced the same problem,
Try to run cmd as admin
I am having the same issue -- been working it for a few weeks now. I cannot guarantee yet that mine is working correctly all the time. Here are some steps I have taken. I hope they are helpful to others.
I am running Puppet Enterprise 2018.1.4. Puppet Agent 5.5.6 on RHEL 7.4.
1) The SSL routine uses a time stamp. Ensure the time is the same between Master & Client.
2) clean/remove the agent cert from the Master AND the Client. On my RHEL, the Client cert is is in /etc/puppetlabs/puppet/ssl/* -- remove any files with the agent name in here.
3) Make sure your puppet enabled on your agent: puppet agent --enable
4) If a client does not contact the puppet master "for a while" the master will drop the client from it's node list, but NOT remove the cert. In theory, the master SHOULD return the node to an active status.
5) Can you run the puppet agent on the master & get the expected results? If not -> problem with puppet code, otherwise, problem with agent.
6) Is puppet.conf configured correctly? Under the [main] section, do you have the server entry correct? Under [agent] are you set to the correct environment? Is noop set to true?
7) It is possible that you have an error in a puppet module that is causeing the agent to exit quietly. Run puppet parser validate on all of your .pp files
8) Can the master resolve the IP address of the master and the client? Can the client resolve the the IP address of the master and the client? Is resolv.conf set correctly on both hosts?
9) hostnames of the client & master should be correct. Each server should know it's shortname, FQDN and IP. On RHEL, I run: hostname; hostname -f; and hostname -i, respectively.
10) File permissions on all the directories & modules should be correct. Check out a working module, see it's owner, group & permissions. Ensure your module is the same.
11) Only root/admin can correctly run puppet agent.
12) On RHEL, the logs are under /var/log/puppet. Do you see any errors there?
13) run puppet agent with the --debug or the --trace option in addition to -t. Pipe this output to a file and see if you can spot any errors.
14) Can you force the master to run the puppet agent on the client successfully?
Many of these things have been narrowing down my issue. I don't know yet if it is fixed, as It takes a while for a node to drop out. Hopefully these will fix your issue.
Hope it helps. There are LOTS of things that could be going wrong.
I am trying to setup puppet master and puppet agent in aws ec2 instances-linux ami. when i run my puppet agent to generate the certificate for the master to sign i encounter the below error.
Puppet Master:
[root#ip-10-**-*-*** /]# sudo yum install puppet-server
[root#ip-10-**-*-*** /] sudo service puppetmaster start
Starting puppetmaster: [ OK ]
Puppet Agent:
[root#ip-10-**-*-*** /]# sudo yum install puppet
[root#ip-10-**-*-*** /]
File excerpt /etc/puppet/puppet.conf
[main]
server = hostname
[root#ip-10-**-*-*** /] sudo service puppet start
Starting puppet: [ OK ]
[root#ip-10-**-*-*** /]# puppet agent -t
info: Creating a new SSL key for ip-10-**-*-***.dev.abc.net
info: Caching certificate for ca
info: Creating a new SSL certificate request for ip-10-**-*-***.dev.abc.net
info: Certificate Request fingerprint (md5): C2:F0:B1:2C:19:39:9E:D6:39:24:18:28
Exiting; no certificate found and waitforcert is disabled
Puppet Master:
[root#ip-10-**-*-*** /]# puppet cert list
"ip-10-**-*-***.dev.abc.net" (C2:F0:B1:2C:19:39:9E:D6:39:24:18:28:F6:DA:5D:FE)
[root#ip-10-**-*-*** /]# puppet cert sign ip-10-**-*-***.dev.abc.net
notice: Signed certificate request for ip-10-**-*-***.dev.abc.net
notice: Removing file Puppet::SSL::CertificateRequest ip-10-**-*-***.dev.abc.net at '/var/lib/puppet/ssl/ca/requests/ip-10-**-*-***.dev.abc.net.pem'
Puppet Agent:
[root#ip-10-**-*-*** /]# puppet agent -t
info: Caching certificate for ip-10-**-*-***.dev.abc.net
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ip-10-**-*-***.dev.abc.net]
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ip-10-**-*-***.dev.abc.net]
Can anyone please help me resolve this issue.
Yes, I know this is an old post. It still needs an answer, as I am having the same issue -- been working it for a few weeks now. I cannot guarantee yet that mine is working correctly all the time. Here are some steps I have taken. I hope they are helpful to others.
I am running Puppet Enterprise 2018.1.4. Puppet Agent 5.5.6 on RHEL 7.4.
1) The SSL routine uses a time stamp. Ensure the time is the same between Master & Client.
2) clean/remove the agent cert from the Master AND the Client. On my RHEL, the Client cert is is in /etc/puppetlabs/puppet/ssl/* -- remove any files with the agent name in here.
3) Make sure your puppet enabled on your agent: puppet agent --enable
4) If a client does not contact the puppet master "for a while" the master will drop the client from it's node list, but NOT remove the cert. In theory, the master SHOULD return the node to an active status.
5) Can you run the puppet agent on the master & get the expected results? If not -> problem with puppet code, otherwise, problem with agent.
6) Is puppet.conf configured correctly? Under the [main] section, do you have the server entry correct? Under [agent] are you set to the correct environment? Is noop set to true?
7) It is possible that you have an error in a puppet module that is causeing the agent to exit quietly. Run puppet parser validate on all of your .pp files
8) Can the master resolve the IP address of the master and the client? Can the client resolve the the IP address of the master and the client? Is resolv.conf set correctly on both hosts?
9) hostnames of the client & master should be correct. Each server should know it's shortname, FQDN and IP. On RHEL, I run: hostname; hostname -f; and hostname -i, respectively.
10) File permissions on all the directories & modules should be correct. Check out a working module, see it's owner, group & permissions. Ensure your module is the same.
11) Only root/admin can correctly run puppet agent.
12) On RHEL, the logs are under /var/log/puppet. Do you see any errors there?
13) run puppet agent with the --debug or the --trace option in addition to -t. Pipe this output to a file and see if you can spot any errors.
14) Can you force the master to run the puppet agent on the client successfully?
Many of these things have been narrowing down my issue. I don't know yet if it is fixed, as It takes a while for a node to drop out. Hopefully these will fix your issue.
How can I check if my puppet set-up (one master, one agent on Ubuntu 14.04 ) is configured correctly? Is there some command to verify if everything is right?
If you want to know, whether the puppet agent can connect to the puppet master and pull the configs. You can try running the agent in dry-run mode:
puppet agent -t --noop
For more details: https://docs.puppet.com/puppet/latest/reference/man/agent.html
Note: You may need to sign the puppet agent cert on the master, if you don't have auto signing enabled.
We have several servers working with puppet as agents today, but I'm having a problem with a new server running CentOS 7. Normally I would update the /etc/sysconfig/puppet file with the puppet master name and then start the daemon and move to signing the certificate on the master. However, puppet agent doesn't appear to be reading the server = myhost.domain in my config file.
I get the following error in /var/log/messages:
puppet-agent[11133]: Could not request certificate: getaddrinfo: Name or service not known
I tried:
myserver:root$ puppet agent --configprint server
puppet
myserver:root$
but the /etc/sysconfig/puppet file has:
PUPPET_SERVER=myserver.domain.com
Can you please help me understand why puppet agent doesn't get the server from the config file?
The /etc/sysconfig/puppet file is not typically read by the Puppet agent. (I'm not very familiar with CentOS operations, but I suppose that this location might hold some settings that are external to the process, such as environment, command line switches etc.)
You will want to use the proper puppet configuration file:
/etc/puppet/puppet.conf for Puppet 3.x and earlier
/etc/puppetlabs/puppet.conf for Puppet 4.x
so ran the following:
"puppet agent --no-daemonize --verbose --onetime --server puppetmaster.xxx.com"
this started puppet properly, requested certificate and I was able to sign on master. Then added:
server = puppetmaster.xxx.com
to /etc/puppet/puppet.conf and "systemctl restart puppet"
and it worked. Thanks for posts here and other places.