Could not call sign: Could not find certificate request for puppet

I'm getting started with puppet on ec2 using the following guide.

https://help.ubuntu.com/12.04/serverguide/puppet.html

In the very last step when I try to sign the puppet client from the puppet master I get the following error

root@ip-10-248-27-66:/home/ubuntu# puppetca --sign ec2-54-245-56-210.us-west-2.compute.amazonaws.com
err: Could not call sign: Could not find certificate request for ec2-54-245-56-210.us-west-2.compute.amazonaws.com

Here is the output of /etc/hosts on the puppetmaster

127.0.0.1 localhost puppetmaster
10.248.34.162 ec2-54-245-56-210.us-west-2.compute.amazonaws.com puppet

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Here is the output of /etc/hosts on the puppet client

127.0.0.1 localhost
10.248.27.66 ec2-50-112-220-110.us-west-2.compute.amazonaws.com puppetmaster

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

I followed the troubleshooting advice here https://serverfault.com/a/388973/85577

Is the master running?

root@ip-10-248-27-66:/home/ubuntu# service puppetmaster status
 * master is running

Does the hostname 'puppet' or 'puppet.abc.com' resolve from the agent?

How would I check this? Do I simply telnet to puppetmaster on port 8140 (the host command does not resolve it but the telnet command does)?

root@ip-10-248-34-162:/home/ubuntu# host puppetmaster
Host puppetmaster not found: 3(NXDOMAIN)

Is TCP port 8140 on the master reachable from the agent (try: telnet puppet 8140)?

root@ip-10-248-34-162:/home/ubuntu# telnet puppetmaster 8140
Trying 10.248.27.66...
Connected to ec2-50-112-220-110.us-west-2.compute.amazonaws.com.
Escape character is '^]'.

What does syslog on the agent say?

Apr 11 17:57:41 ip-10-248-34-162 puppet-agent[3897]: Could not request certificate: getaddrinfo: Name or service not known

Try puppet agent --test on the agent, which will attempt to connect to the master and stay in foreground to show the output.

root@ip-10-248-34-162:/home/ubuntu# puppet agent --test
err: Could not request certificate: getaddrinfo: Name or service not known
Exiting; failed to retrieve certificate and waitforcert is disabled

EDIT

Thanks dawud so the entries in /etc/hosts are correct per this command

$ getent hosts puppetmaster
10.248.27.66 ec2-50-112-220-110.us-west-2.compute.amazonaws.com puppetmaster

however when I try this I get an error

$ puppet agent --test --waitforcert 5
err: Could not request certificate: Connection refused - connect(2)
err: Could not request certificate: Connection refused - connect(2)

Check that both the puppetmaster and the client machine can resolve the FQDN of the puppetmaster. For this to work, you need to add the puppetmaster IP to your /etc/hosts in both machines, then check it using:

$ ping puppetmaster or $ getent hosts puppetmaster

Check that you can reach the puppetmaster from the client machine

$ telnet puppetmaster 8140

If you get connection refused by the server, check that the port is opened in the puppetmaster

# iptables -L -n -v

Or add a rule to allow incoming traffic to that port (this is dependent on how is iptables already configured)

# iptables -A INPUT -p tcp --dport 8140 -m state --state NEW -j ACCEPT

And run from the client

# puppet agent --test --waitforcert 5

Afterwards, from the puppetmaster

# puppet cert list

will show you the cert ready to be sign, you can check it belongs to the client machine comparing the fingerprint. Sign it:

# puppet cert sign $client

Puppetmaster will compile a catalog for the client and you can follow how it is applied in the client console.

To regenerate the certificates on the puppetmaster, stop the ppuppetmaster and

# find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete

When you start the puppetmaster again, it will regenerate the certificate for you.

On the client side, it is enough to remove the conttents of the ssldir, usually /var/lib/puppet/ssl, but check as above, the next time you invoke

# puppet agent --test --waitforcert 5

it will be recreated.

Eventually, check the CN of the certificate of the puppetmaster with

# puppet cert list --all

and match any of the names/ALT names to the entry in your /etc/hosts.

One of things noted in discussion here and not mentioned in previous is answer is that sometimes ports can behave strangely. In my case inspite of having the port 8140 opened in iptables, I was getting errors of not being able to connect. What helped me is following commands:

iptables -F
service service iptables save

Of course use sudo if above command fail with your user. I even added the above two commands in the provisionoing script of the box so that if I halt/recreate the boxes - the iptables is flushed.

What steps are necessary to apply an Enterprise license to an iDRAC7 that shipped with a different license?

What is the difference between init 6 and reboot on Red Hat / RHEL / CentOS?

Can a high load cause a system to reboot?

Wireshark filtering-trying to filter out my own local ip

how does NewRelic work by simply installing .Net agent?

IIS7.5 App Pool recycles - .Net OutOfMemoryException

How do I get the full parent path of an Exchange public folder in Exchange 2010?

Can the iPad remember the iTunes password when using Meraki MDM?

pg_dump: [archiver (db)] connection to database failed: FATAL: Peer authentication failed for user "postgres"

Mysterious memory usage in Linux

zfs - two pools with nested mountpoints and conflicting mount order

Spot instances frequently terminated in AWS auto scaling group (failing system health check)