I'm new to puppet, but picking it up quickly. Today, I'm running into an issue when trying to run the following:
$ puppet agent --no-daemonize --verbose --onetime
**err: Could not request certificate: getaddrinfo: Name or service not known
Exiting; failed to retrieve certificate and waitforcert is disabled**
It would appear the agent doesn't know what server to connect to. I could just specify --server on the command line, but that will be of no use to me when this runs as a daemon in production, so instead, I specify the server name in /etc/puppet/puppet.conf like so:
[main]
server = puppet.<my domain>
I do have a DNS entry for puppet.<my domain> and if I dig puppet.<my domain>, I see that the name resolves correctly.
All puppet documentation I have read states that the agent tries to connect to a puppet master at puppet by default and your options are host file trickery or do the right thing, create a CNAME in DNS, and edit the puppet.conf accordingly, which I have done.
So what am I missing? Any help is greatly appreciated!
D'oh! Need to sudo to do this! Then everything works.
I had to use the --server flag:
sudo puppet agent --server=puppet.example.org
I actually had the same error but I was using the two learning puppet vm and trying run the 'puppet agent --test' command.
I solved the problem by opening the file /etc/hosts on both the master and the agent vm and the line
***.***.***.*** learn.localdomain learn puppet.localdomain puppet
The ip address (the asterisks) was originally some random number. I had to change this number on both vm so that it was the ip address of the master node.
So I guess for experienced users my advice is to check the /etc/hosts file to make sure that the ip addresses in here for the master and agent not only match but are the same as the ip address of the master.
for other noobs like me my advice is to read the documentation more clearly. This was a step in the 'setting up an agent vm' process the I totally missed xD
In my case I was getting same error but it was due to the cert which should been signed to node on puppetmaster server.
to check pending certs run following:
puppet cert list
"node.domain.com" (SHA256) 8D:E5:8A:2*******"
sign the cert to node:
puppet cert sign node.domain.com
Had the same issue today on puppet 2.6 on CentOS 6.4
All I did to resolve the issue was to check the usual stuff such as hosts and resolv.conf to ensure they were as expected (compared with a working server) and then;
Removed /var/lib/puppet directory rm -rf /var/lib/puppet
Cleared the certificate on the puppet master puppetca --clean
servername
Restarted the network service network restart
Re-ran puppet
Even though the resolv.conf was identical to the working server, puppet updated resolv.conf and immediately re-signed the certificate and replaced all the puppet lib files.
Everything was fine after that.
Related
I am learning to use Jenkins to deploy a .Net 5.0 application on an AWS EC2 server. This is the first time I am using Linux server and Jenkins for .Net (I'm am a life long Windows guy), and I am facing an error while trying to publish my artifacts over SSH to Web Server.
My setup:
Jenkins server is an AWS EC2 Linux AMI server.
Web Server is also an AWS EC2 LInux AMI server.
My Jenkins is correctly installed and working. I am able to build and run unit test cases without any issues.
For Deploy, I am using 'Publish Over SSH' plugin, and I have followed all steps to configure this plugin as mentioned here https://plugins.jenkins.io/publish-over-ssh/.
However, when try to 'Test Configuration', I get the below error,
Failed to connect or change directory
jenkins.plugins.publish_over.BapPublisherException: Failed to connect and initialize SSH connection. Message: [Failed to connect session for config [WebServer]. Message [Auth fail]]
I did a ping test from Jenkins server to Web Server, and it is a success.
I'm using the .pem key in the 'Key' section of 'Publish over SSH'. This key is the same key I use to SSH into the web server.
The below link suggests many different solutions, but none is working in my case.
Jenkins Publish over ssh authentification failed with private key
I was looking at the below link which describes the same problem,
Jenkins publish over SSH failed to change to remote directory
However in my case I have kept 'Remote Directory' as empty. I don't know if I have to specify any directory here. Anyways, I tried creating a new directory under the home directory of user ec2-user as '/home/ec2-user/publish' and then used this path as Remote Directory, but it still didn't work.
Screenshot of my settings in Jenkins:
I would appreciate if anyone can point me to the right direction or highlight any mistake I'm doing with my configuration.
In my case following steps solved the problem.
Solution is based on Ubuntu 22.04
add two line in /etc/ssh/sshd_config
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes +ssh-rsa
restart sshd service
sudo service sshd restart
you might consider the following:
a. From the screenshot you’ve provided, it seems that you have checked the Use password authentication, or use different key option which will require you to add your key and password (inputs from these fields will be used in connecting to your server via SSH connection). If you use the same SSH key and passphrase/password on all of your servers, you can uncheck/untick that box and just use the config you have specified above.
b. You might also check if port 22 of your web server allows inbound traffic from the security group where your Jenkins server/EC2 instance is running. See reference here.
c. Also, make sure that the remote directory you have specified is existing otherwise the connection may fail.
Here's the sample config
I am trying to set up Puppet for DevOps. I have puppet server in Ubuntu 14.04 and puppet-agent in Windows 10. When I am generating certificate for the first time from puppet-agent (Windows 10) the SSL certficate is generating without any issues and even I can sign the same certificate from puppetserver (Ubuntu 14.04), however after signing when I am trying to update the status in puppet-agent (Windows 10) by "puppet agent -t" getting error as,
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=username-virtualbox.domain.com]
The puppet configuration file details:
puppet.config (puppetserver [Ubuntu]):
Troubleshooting steps already tried,
Time zone in both the environments are in sync
Deleted "ssl" folders containing the details of the ssl certificates from both the environments several times and re-tried
8140 ports are enabled on both Windows and Ubuntu
I faced the same problem,
Try to run cmd as admin
I am having the same issue -- been working it for a few weeks now. I cannot guarantee yet that mine is working correctly all the time. Here are some steps I have taken. I hope they are helpful to others.
I am running Puppet Enterprise 2018.1.4. Puppet Agent 5.5.6 on RHEL 7.4.
1) The SSL routine uses a time stamp. Ensure the time is the same between Master & Client.
2) clean/remove the agent cert from the Master AND the Client. On my RHEL, the Client cert is is in /etc/puppetlabs/puppet/ssl/* -- remove any files with the agent name in here.
3) Make sure your puppet enabled on your agent: puppet agent --enable
4) If a client does not contact the puppet master "for a while" the master will drop the client from it's node list, but NOT remove the cert. In theory, the master SHOULD return the node to an active status.
5) Can you run the puppet agent on the master & get the expected results? If not -> problem with puppet code, otherwise, problem with agent.
6) Is puppet.conf configured correctly? Under the [main] section, do you have the server entry correct? Under [agent] are you set to the correct environment? Is noop set to true?
7) It is possible that you have an error in a puppet module that is causeing the agent to exit quietly. Run puppet parser validate on all of your .pp files
8) Can the master resolve the IP address of the master and the client? Can the client resolve the the IP address of the master and the client? Is resolv.conf set correctly on both hosts?
9) hostnames of the client & master should be correct. Each server should know it's shortname, FQDN and IP. On RHEL, I run: hostname; hostname -f; and hostname -i, respectively.
10) File permissions on all the directories & modules should be correct. Check out a working module, see it's owner, group & permissions. Ensure your module is the same.
11) Only root/admin can correctly run puppet agent.
12) On RHEL, the logs are under /var/log/puppet. Do you see any errors there?
13) run puppet agent with the --debug or the --trace option in addition to -t. Pipe this output to a file and see if you can spot any errors.
14) Can you force the master to run the puppet agent on the client successfully?
Many of these things have been narrowing down my issue. I don't know yet if it is fixed, as It takes a while for a node to drop out. Hopefully these will fix your issue.
Hope it helps. There are LOTS of things that could be going wrong.
We have several servers working with puppet as agents today, but I'm having a problem with a new server running CentOS 7. Normally I would update the /etc/sysconfig/puppet file with the puppet master name and then start the daemon and move to signing the certificate on the master. However, puppet agent doesn't appear to be reading the server = myhost.domain in my config file.
I get the following error in /var/log/messages:
puppet-agent[11133]: Could not request certificate: getaddrinfo: Name or service not known
I tried:
myserver:root$ puppet agent --configprint server
puppet
myserver:root$
but the /etc/sysconfig/puppet file has:
PUPPET_SERVER=myserver.domain.com
Can you please help me understand why puppet agent doesn't get the server from the config file?
The /etc/sysconfig/puppet file is not typically read by the Puppet agent. (I'm not very familiar with CentOS operations, but I suppose that this location might hold some settings that are external to the process, such as environment, command line switches etc.)
You will want to use the proper puppet configuration file:
/etc/puppet/puppet.conf for Puppet 3.x and earlier
/etc/puppetlabs/puppet.conf for Puppet 4.x
so ran the following:
"puppet agent --no-daemonize --verbose --onetime --server puppetmaster.xxx.com"
this started puppet properly, requested certificate and I was able to sign on master. Then added:
server = puppetmaster.xxx.com
to /etc/puppet/puppet.conf and "systemctl restart puppet"
and it worked. Thanks for posts here and other places.
I am trying to get my hands with puppet. I boot up 2 VM both running on linuxmint 17. I intended one as puppetmaster and one as puppetclient. I am follow this guide https://help.ubuntu.com/12.04/serverguide/puppet.html
in /etc/hostname
in /etc/hosts
master:
127.0.0.1 localhost /// no chance
127.0.1.1 puppetmaster //
192.168.75.141 puppetclient //this client's ip address after nm-tool search.
client:
127.0.0.1 localhost
127.0.1.1 puppetclient
192.168.75.142 puppetmaster // this is the master's ip address
In both client and master I created a file in etc/puppet/manifests/site.pp
package {
'apache2':
ensure => installed
}
service {
'apache2':
ensure => true,
enable => true,
require => Package['apache2']
}
In master I created a file in /etc/puppet/manifests/nodes.pp
node 'meercat02.example.com' {
include apache2
}
In client I create a file /etc/default/puppet and put START=yes.
Here's what I think there's a problem. In the guide, the file should already exist but in my case I have to create it.
So then I followed everything in the guide to sign the client certificate. I typed in sudo puppetca --sign puppetclient in puppetmaster's terminal . That didn't work and I found the solution in another post. https://serverfault.com/questions/457349/installed-puppetmaster-but-why-do-i-get-puppetca-command-not-found. So after reading the post I typed sudo puppet cert list --sign 'puppetclient'. Then it gives me this
Notice: Signed certificate request for ca
Error: Could not find certificates request for list
After the first five pages of google search I end up here asking for help. =) Anyone can help me resolve this issue? Thanks.
You cannot sign a certificate before there is a certificate request.
You have to establish the agent/master communication first.
Find out the certificate name of your master
puppet master --configprint certname
On the agent node, make sure that name resolves to the master's IP address (you currently used puppetmaster for this, which might suffice).
Send the initial request to the master
Do this on the agent node.
puppet agent --test --master=<name you just registered>
The agent generates a CSR, and prints a message that it could not receive a certificate.
Sign the certificate
On the master:
puppet cert list
Locate the CSR of your agent, then
puppet cert sign <agent>
The next puppet agent --test call will receive the certificate.
Try this
puppet agent --test master="name you just register"
its work for me.
I'm using puppet and want to test it with noop, but some configuration depends on the hostname like the node types.
How can I set the node name and run puppet with noop to check the node configuration that match the node name?, currently i got this as error message (my laptop is solaria):
Could not find default node or by name with 'solaria, solaria.lan' on node solaria.lan
Thanks.
puppetd --test --noop --fqdn="hostname.example.com"
Or with 2.6, this may be preferable:
puppet agent --test --noop--fqdn="hostname.example.com"
This will tend to create new certificates on the puppet master, so you'll probably need to run puppetca --clean hostname.example.com on the puppet master afterwords, otherwise when you finally get hosts with those names they'll be unable to set up an SSL relationship with the master.
I just figure out one possible solution, adding this to my config file
nodename = cert
certname = hostname