I am setting up Puppet on a few test servers: bruno is the puppet master and oppenheimer is the agent. When I start the server on bruno I get this output:
bruno$ sudo puppet cert list
"oppenheimer.home" (SHA256) D4:**:**:**:0B:2A
bruno$ sudo puppet master --verbose --no-daemonize
Notice: Starting Puppet master version 3.4.3
I then go to start the agent on oppenheimer:
oppenheimer$ sudo puppet agent --test --server=bruno
Exiting; no certificate found and waitforcert is disabled
And when I look over at bruno again:
Info: access[^/catalog/([^/]+)$]: allowing 'method' find
Info: access[^/catalog/([^/]+)$]: allowing $1 access
Info: access[^/node/([^/]+)$]: allowing 'method' find
Info: access[^/node/([^/]+)$]: allowing $1 access
Info: access[/certificate_revocation_list/ca]: allowing 'method' find
Info: access[/certificate_revocation_list/ca]: allowing * access
Info: access[^/report/([^/]+)$]: allowing 'method' save
Info: access[^/report/([^/]+)$]: allowing $1 access
Info: access[/file]: allowing * access
Info: access[/certificate/ca]: adding authentication any
Info: access[/certificate/ca]: allowing 'method' find
Info: access[/certificate/ca]: allowing * access
Info: access[/certificate/]: adding authentication any
Info: access[/certificate/]: allowing 'method' find
Info: access[/certificate/]: allowing * access
Info: access[/certificate_request]: adding authentication any
Info: access[/certificate_request]: allowing 'method' find
Info: access[/certificate_request]: allowing 'method' save
Info: access[/certificate_request]: allowing * access
Info: access[/]: adding authentication any
Info: Inserting default '/status' (auth true) ACL
Info: Not Found: Could not find certificate oppenheimer.home
Info: Not Found: Could not find certificate oppenheimer.home
Info: Not Found: Could not find certificate oppenheimer.home
Info: Not Found: Could not find certificate oppenheimer.home
Info: Not Found: Could not find certificate oppenheimer.home
Notice that the server bruno does show the agent oppenheimer's cert before I start the server. So why can it not find the cert?
This is my config on the server:
bruno$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 bruno
10.0.0.7 bruno
10.0.0.10 oppenheimer
bruno$ cat /etc/puppet/puppet.conf
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
certificate_revocation=false
server=bruno
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
And here is the config on the agent:
oppenheimer$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 oppenheimer
10.0.0.7 bruno
10.0.0.10 oppenheimer
oppenheimer$ cat /etc/puppet/puppet.conf
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
certificate_revocation=false
server=bruno
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
server=bruno
Both the machines are running Ubuntu Linux 14.04 with the latest updates.
You have to sign the certificate. If the certificate was signed already then it would not show up in the output of puppet cert list.
# puppet cert sign oppenheimer.home
Then puppet agent should run successfully.
Hope this helps.
Related
The following command throws an error:
puppetserver ca list
Fatal error when running action 'list'
Error: Failed connecting to https://puppet:8140/puppet-ca/v1/certificate_statuses/any_key
Root cause: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error)
I have edited my /etc/hosts file and added
10.0.0.4 puppetmaster.example.com
I have also edited my /etc/puppetlabs/puppet/puppet.conf file as:
...
[main]
certname = puppetmaster.example.com
server = puppetmaster.example.com
[master]
dns_alt_names = puppetmaster.example.com
...
Actually, by default, the server name is 'puppet' and in dns_alt_names I had not mentioned puppet. That is why
puppetserver ca command failed.
I'm trying to configure puppetDB on the same puppet master server. I followed the puppet documentation, installed the database and configured the puppet to use database.
when I run puppet agent --test command its giving below error message.
I didn't see any process running in port 8081, I see puppet java process running on port 8140.
How can I resolve this error?
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for webserver: Failed to find facts from PuppetDB at puppet:8140: Failed to execute '/pdb/query/v4/nodes/webserver/facts' on at least 1 of the following 'server_urls': https://puppetdb:8081
Info: Retrieving pluginfacts
Info: Retrieving plugin
Warning: Error connecting to puppetdb on 8081 at route /pdb/query/v4/nodes/webserver/facts, error message received was 'Connection refused - connect(2) for "puppetdb" port 8081'. Failing over to the next PuppetDB server_url in the 'server_urls' list
Error: Cached facts for webserver failed: Failed to find facts from PuppetDB at puppet:8140: Failed to execute '/pdb/query/v4/nodes/webserver/facts' on at least 1 of the following 'server_urls': https://puppetdb:8081
Info: Loading facts
Info: Caching facts for webserver
Warning: Error connecting to puppetdb on 8081 at route /pdb/cmd/v1?checksum=039e22c7bf98e9cbf2f08169047d288c9b451c73&version=5&certname=webserver&command=replace_facts, error message received was 'Connection refused - connect(2) for "puppetdb" port 8081'. Failing over to the next PuppetDB server_url in the 'server_urls' list
Error: Failed to execute '/pdb/cmd/v1?checksum=039e22c7bf98e9cbf2f08169047d288c9b451c73&version=5&certname=webserver&command=replace_facts' on at least 1 of the following 'server_urls': https://puppetdb:8081
Error: Could not retrieve local facts: Failed to execute '/pdb/cmd/v1?checksum=039e22c7bf98e9cbf2f08169047d288c9b451c73&version=5&certname=webserver&command=replace_facts' on at least 1 of the following 'server_urls': https://puppetdb:8081
Error: Failed to apply catalog: Could not retrieve local facts: Failed to execute '/pdb/cmd/v1?checksum=039e22c7bf98e9cbf2f08169047d288c9b451c73&version=5&certname=webserver&command=replace_facts' on at least 1 of the following 'server_urls': https://puppetdb:8081
Hope you checked the SSL certs stored in /etc/puppetlabs/puppetdb/ssl are matching with the /etc/puppetlabs/puppet/ssl/certs/<certnameof your puppetserver.FQDN> .
This can be verified by
puppetdb ssl-setup
Sample entry
puppetdb ssl-setup
PEM files in /etc/puppetlabs/puppetdb/ssl already exists, checking integrity.
Setting ssl-host in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-port in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-key in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Let me know if you have further issues .I have had the same issue and rectified by removing the /etc/puppetlabs/puppetdb/ssl directory and rerun the "puppetdb ssl-setup" command.
For some reason puppetdb process went down that's why no process running on port 8081. I have restarted puppetdb process, then agent -test command stated connecting to the webserver.
Here is the output of puppetdb service in centos 7.
# systemctl status puppetdb
● puppetdb.service - puppetdb Service
Loaded: loaded (/usr/lib/systemd/system/puppetdb.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2017-03-28 18:26:58 EDT; 1h 20min ago
Main PID: 5503 (java)
CGroup: /system.slice/puppetdb.service
└─5503 /usr/bin/java -Xmx192m -Djava.security.egd=/dev/urandom -XX:OnOutOfMemoryError=kill -9 %p -cp /opt/puppetlabs/...
I want to configure puppet in a high availability environment. I have configured 2 Puppet masters but they are not able to sign each other by CA. When I try to test puppet agent --test, it gives me following error:
'Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: getaddrinfo: Name or service not known
Info: Retrieving pluginfacts
Error: /File[/home/clogeny/.puppet/var/facts.d]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/home/clogeny/.puppet/var/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: getaddrinfo: Name or service not known
Wrapped exception:
getaddrinfo: Name or service not known
Info: Retrieving plugin
Error: /File[/home/clogeny/.puppet/var/lib]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/home/clogeny/.puppet/var/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: getaddrinfo: Name or service not known
Wrapped exception:
getaddrinfo: Name or service not known
Error: Could not retrieve catalog from remote server: getaddrinfo: Name or service not known
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: getaddrinfo: Name or service not known'
Could anyone help me out?
Puppet.conf:
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
hiera_config=/etc/puppet/hiera.yml
catalog_format = yaml
certname=puppet
pluginsync=false
dns_alt_names=puppetmaster01,puppet.sencha.com
[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
manifest=$confdir/manifests/site.pp
modulepath=$confdir/environments/$environment/modules:/home/clogeny/Desktop/puppet-kitchen-example/modules
There is missing server value in [main] section of puppet.conf. The server value should point to the Puppet master server. Name of the Puppet master server must be reachable from puppet agent. Check the following articles how to properly connect Puppet agent to puppet master:
http://shapeshed.com/connecting-clients-to-a-puppet-master/
https://docs.puppetlabs.com/guides/install_puppet/post_install.html
Seems like a name resolution issue? Both system( master & agent ) able to communicate using their FQDN? You can add their FQDN on /etc/hosts file if you don't/won't bother to use DNS server.
eg: /etc/host
root#puppet-master-kasun:~# cat /etc/hosts
127.0.0.1 localhost
192.168.1.1 puppet puppet-master
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
use puppet agent -t --DEBUG to Debug
Debug: Starting connection for https://toto.local:8140
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
There https://toto.local:8140 is unreachable
I'm trying to connect my puppetmaster and my puppet client. I've been having trouble with the certificates. I was originally trying to use the puppetmaster's IP address (because we don't have DNS set up), but now I think I'll have to edit the hosts file when I set up a new machine to map puppet to its ip.
So once I do that, I'm still having issues. Some background: on the master, I had tried to get rid of the server certificate a few times and recreate a new one. I think that's causing the problem because the log is saying it was revoked. devtest is the puppet agent.
This is what happens when I try to test the agent.
[root#devtest puppet]# puppet agent --test --server puppet
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
If I'm understanding the first error properly, it's saying the certificate presented by the master server for servername.mydomain.com has been revoked. (I've edited the log to remove the actual server name and domain).
So I want to have puppetmaster serve up a new certificate. I go onto it, and stop the Apache service (so it doesn't hold the certificate in memory).
I then delete the ssl folder, and try to regenerate the puppet certificate:
[ZachDev#mon puppet]$ sudo puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 17:F7:19:23:E6:99:BD:DD:3D:E6:F1:DD:35:8A:A6:81:8D:96:7D:15:63:EC:51:21:65:96:D1:24:FA:97:1B:07
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for 10.128.119.155
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for 10.128.119.155
Info: Certificate Request fingerprint (SHA256): BE:C8:B9:FF:1F:7A:49:1F:4F:97:E4:37:A3:9E:12:19:6F:41:3B:DB:DE:CB:AA:03:D8:02:94:D1:68:49:13:9C
Notice: 10.128.119.155 has a waiting certificate request
Notice: Signed certificate request for 10.128.119.155
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/ca/requests/10.128.119.155.pem'
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/certificate_requests/10.128.119.155.pem'
Notice: Starting Puppet master version 3.6.2
^CNotice: Caught INT; calling stop
That worked. Now I restart Apache, and get an error. systemctl status httpd.service doesn't say anything useful, but /var/log/httpd/puppet-server-example.com_ssl_error.log does:
[Fri Aug 01 18:48:49.383002 2014] [ssl:warn] [pid 25661] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Aug 01 18:48:49.383028 2014] [ssl:warn] [pid 25661] AH01909: RSA certificate configured for servername.mydomain.com:8140 does NOT include an ID which matches the server name
[Fri Aug 01 18:48:49.383044 2014] [ssl:emerg] [pid 25661] AH02238: Unable to configure RSA server private key
[Fri Aug 01 18:48:49.383071 2014] [ssl:emerg] [pid 25661] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
At this point, I'm just guessing at what the config file settings should be. I assume some config files need to be changed -- either the Apache config or the Puppet config, but at this point I'm not sure what the right certificates are. I have certificates in /var/lib/puppet/ssl and in /etc/puppet/ssl.
There are multiple issues with your setup. You are indeed right that you need to
pick an FQDN for the master and make sure the agents can resolve it
via respective hosts file or
through dnsmasq
tell the master to use that name as its SSL CN
First, make sure the master uses the correct name. Add this to /etc/puppet/puppet.conf on the master:
[master]
certname=server.mydomain.com
Restart the master. It should sign a new certificate for itself (note how it considered 10.128.119.155 to be its name and used that as the CN - this is not sensible).
Next, make sure Apache uses this certificate instead of the CA certificate.
SSLCertificateFile /var/lib/puppet/ssl/certs/server.mydomain.com.pem
(You can make sure /var/lib/puppet/ssl is the correct path using puppet master --configprint ssldir).
Your master should now have a valid certificate to present. If an agent reaches it through its FQDN, the SSL handshake should succeed.
We are running puppet 2.7.11-1ubuntu2.4 (Ubuntu 12.04) on our clients and master. The clients don't seem to update automatically, but when I run:
sudo puppet agent --test
Everything works fine.
Current running processes on the client:
root 1764 1 0 Sep10 ? 00:00:05 /usr/bin/ruby1.8 /usr/bin/puppet agent
/etc/puppet/puppet.conf
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
pluginsync=true
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
server=<URL_REMOVED>
configtimeout=300
/var/log/syslog.log
Sep 11 16:12:48 <HOSTNAME_REMOVED> puppet-agent[1764]: Did not receive certificate
Sep 11 16:14:48 <HOSTNAME_REMOVED> puppet-agent[1764]: Did not receive certificate
Sep 11 16:16:49 <HOSTNAME_REMOVED> puppet-agent[1764]: Did not receive certificate
Sep 11 16:18:49 <HOSTNAME_REMOVED> puppet-agent[1764]: Did not receive certificate
Sep 11 16:20:49 <HOSTNAME_REMOVED> puppet-agent[1764]: Did not receive certificate
/etc/default/puppet
# Defaults for puppet - sourced by /etc/init.d/puppet
# Start puppet on boot?
START=yes
# Startup options
DAEMON_OPTS=""
Does someone have an idea what could be wrong?
We actually recently found the cause of this problem.
Some nodes had a hostname in their puppet.conf that didn't match the hostname in the certificate of the server.
Also some nodes didn't use their FQDN when they contacted the server, which caused mismatches with the client certificates. We fixed that by adding the FQDN to /etc/hosts:
127.0.1.1 hostename.domain.edu hostename
Take a look at this Troubleshooting page. Not sure about your problem exactly, but I saw similar errors in my log: "Did not receive certificate". In my case these steps have helped me:
on master run
puppet cert clean <NODE NAME>
on agent:
rm -rf $(puppet agent --configprint ssldir)
puppet agent --test