Puppet doesnt sign certs

puppet debian debian-squeeze

I have build an testlab for puppet, but it doesn't work. I start puppet agent on the node and it waits for the certificate. 

root:~# puppet agent --server xxxx --waitforcert 60 --test
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session

On the Server, now pending certificate requests are found: 

root:~# puppet cert --list                                                                                                        
root:~#

In the masterhttpd log:

root:~# tail /var/log/puppet/masterhttp.log
[2012-01-06 09:19:17] xxx - - [06/Jan/2012:09:19:17 CET] "GET /production/certificate/xx HTTP/1.1" 404 30
[2012-01-06 09:19:17] - -> /production/certificate/pgw
[2012-01-06 09:19:47] xxx - - [06/Jan/2012:09:19:47 CET] "GET /production/certificate/xx HTTP/1.1" 404 30
[2012-01-06 09:19:47] - -> /production/certificate/pgw
[2012-01-06 09:19:47] xxx - - [06/Jan/2012:09:19:47 CET] "GET /production/certificate/xx HTTP/1.1" 404 30
[2012-01-06 09:19:47] - -> /production/certificate/pgw
[2012-01-06 09:19:47] xxx - - [06/Jan/2012:09:19:47 CET] "GET /production/certificate/xx HTTP/1.1" 404 30
[2012-01-06 09:19:47] - -> /production/certificate/pgw

The certificate file is not found.


I recommend you start the puppet agent as

$ puppet agent --server=xxxx --test --debug

this command will give you more details why it is failing. Also, you may need tgo allow more time for it to complete.

You can also try to remove the certificate from sides if any (on master and agent respectively)

puppet --cert --clean your_machine_name

rm -rf /etc/puppet/ssl

I ran into very similar problems when I first started with Puppet. The --server option was not being respected.

Try adding an entry to your HOSTS file with the name of 'puppet' and the IP of your master box.

If that works the following syntax works well (at least for version 2.7.5)

[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
server = puppetmaster.yourdomain.org
pluginsync = true

[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = puppetmaster.yourdomain.org
listen = true

Looks like you verified that the agent is getting to the master. Good first step.

Next, as others have suggested, verify that the certificate wasn't signed and that you just didn't miss it:

sudo puppet cert --list --all

If you don't see it there, I'd clean everything up and start over.

First, confirm that the date and time on both servers are in sync. You could force an NTP sync with something like ntpd -q -g, depending on your distro and NTP client.

Then, run a clean on the puppet master:

sudo puppet cert clean <agent hostname>

On the agent, clean up all your SSL files:

sudo rm -rf /var/puppet/ssl /var/lib/puppet/ssl/ /var/puppet/ssl

Finally, run a test:

sudo puppet agent --debug --test --server <master hostname>

Hopefully, if this doesn't address the issue, this should yield you some clues as to where to look.

Related

SSH VPN tunnel without having to enable root
change scp default directory in `~/.ssh/config`
Why isn't htaccess following this php_value directive?
Upgrading a mongo cluster
PHP date.timezone warning
Very low requests/second with fresh NGINX install
How can I protect a Tomcat webapp that's reverse proxied in an Apache2 virtual host using basic authentication?
Delegate log off privilege?
In Chef, how do I access attributes set in the environment JSON from cookbook attributes files?
time sync with ntpd
How to setup network interface to have eth0 as dhcp and eth0:1 as static ip?
"route add default -iface em1" in rc.conf on FreeBSD