Can't create certificate for puppet agent

puppet

I'm trying to run both puppetmaster and agent on an Ubuntu Mate 15.10 vm.

My /etc/hosts contains the following relevant entries

127.0.0.1   localhost
127.0.1.1   ubuntu
127.0.1.1   ubuntu.localdomain

My /etc/puppet/puppet.conf contains the following entries

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
dns_alt_names=puppet,ubuntu.localdomain
server=ubuntu.localdomain

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY

I'm issuing the following commands

ps -ef|grep puppet
    [kill both master and agent if running]
sudo rm -rf /var/lib/puppet/ssl
sudo service puppetmaster start
sudo service puppet restart
sudo puppet agent -t

The last command returns

Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for ubuntu.localdomain
Info: Applying configuration version '1453930694'
Notice: Finished catalog run in 0.01 seconds

Now if I run sudo puppet cert list it doesn't show anything. Also issuing sudo puppet cert sign ubuntu.localdomain after it throws the following error

Error: Could not find certificate request for ubuntu.localdomain

What am I doing wrong? BTW I'm using puppet 3.7.2 and hostname -f returns ubuntu. But using this hostname in puppet.conf throws some error, so I'm appending it with .localdomain


Solution 1:

After much hassle, I've found out a series of steps that works. I've tried it out couple of times, and it's working every time, so I'm posting the steps for creating one puppet master and one agent on two separate virtual machines for reference.

Assuming two vm, one for puppetmaster, one for puppetclient.

Server

sudo apt-get update
sudo sed -i 's/ubuntu/puppetmaster/g' /etc/hostname
sudo nano /etc/network/interfaces                                               //If no ip for puppetmaster is present, copy from 'ifconfig'
#ADD CLIENT AND SERVER IP'S TO /ETC/HOSTS
sudo nano /etc/hosts                                                            //Add client, server entries. Add puppetclient.localdomain as client
sudo apt-get install -y puppetmaster
sudo service puppetmaster stop
sudo rm -r /var/lib/puppet/ssl
sudo puppet cert list -a                                                        //Regenerate the CA. Should see "Notice: Signed certificate request for ca"
sudo puppet master --no-daemonize --verbose                                     //Generate the Puppet master’s new certs. When you see "Notice: Starting Puppet master <your Puppet version>", type CTRL + C.
sudo service puppetmaster start

Client

sudo apt-get update
sudo sed -i 's/ubuntu/puppetclient/g' /etc/hostname
sudo nano /etc/network/interfaces                                               //If no ip for puppetclient is present, copy from 'ifconfig'
sudo reboot
#ADD CLIENT AND SERVER IP'S TO /ETC/HOSTS                                       //Add client, server entries. Add puppetmaster.localdomain as master
sudo nano /etc/hosts
sudo apt-get install -y puppet
sudo nano /etc/puppet/puppet.conf                                               //See below for sample entry in conf file 
#sudo sed -i 's/no/yes/g' /etc/default/puppet                                   //Don't need
sudo service puppet stop
sudo rm -r /var/lib/puppet/ssl
sudo service puppet restart
sudo puppet agent --server puppetmaster.localdomain --waitforcert 20 --test     //Request for a cert from server

server

sudo puppet cert --list                                                         //Should show the client's cert
sudo puppet cert sign puppetclient.localdomain
sudo nano /etc/puppet/manifests/site.pp                                     

#add following to site.pp
file {  '/tmp/Demo':
    content => "Hooray!"
}

Client

sudo puppet agent --test

server

#Change content in site.pp and do a 'cat /tmp/Demo' on client. The modified entries in server side should be reflected on client.

FOR A CLEAN START: Remove all traces of the client on the server

sudo puppet node clean puppetclient.localdomain

Example /etc/hosts for client

127.0.0.1           localhost
127.0.1.1           puppetclient
192.168.112.129     puppetclient
192.168.112.130     puppetmaster.localdomain

Example /etc/hosts for server

127.0.0.1           localhost
127.0.1.1           puppetmaster
192.168.112.130     puppetmaster
192.168.112.129     puppetclient.localdomain

Example /etc/puppet/puppet.conf for client

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY

[agent]
server = puppetmaster.localdomain
runinterval = 5s

Related

kubectl logs error: You must be logged in to the server (the server has asked for the client to provide credentials
Ubuntu iptables logs not going to any log file
Ansible - delete all partitions on a given list of disks
RAID 5 array not working after disk replacement?
Why am I seeing unicast packets from a machine on another VLAN?
Why OCSP stapling on NGINX for "buypass" DV certs fails without explicit root declaration?
CloudFormation: How to get a list of key pairs in a given region
Nginx Redirect regex
Traefik SSL for a service that runs on non-standard port
I have an internal PKI with a shared root CA, and multiple intermediate CAs, how do I make anything issued by any intermediate CA to trust everything?
Security issue with pg_hba.conf
Domain blocked by ISP