Home / server / Questions / 347237
In Process
Dennis Wisnia
Asked: 2012-01-07 00:29:50 +0800 CST

Puppet doesnt sign certs

  • 772

I have build an testlab for puppet, but it doesn't work. I start puppet agent on the node and it waits for the certificate. 

root:~# puppet agent --server xxxx --waitforcert 60 --test
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session

On the Server, now pending certificate requests are found: 

root:~# puppet cert --list                                                                                                        
root:~#

In the masterhttpd log:

root:~# tail /var/log/puppet/masterhttp.log
[2012-01-06 09:19:17] xxx - - [06/Jan/2012:09:19:17 CET] "GET /production/certificate/xx HTTP/1.1" 404 30
[2012-01-06 09:19:17] - -> /production/certificate/pgw
[2012-01-06 09:19:47] xxx - - [06/Jan/2012:09:19:47 CET] "GET /production/certificate/xx HTTP/1.1" 404 30
[2012-01-06 09:19:47] - -> /production/certificate/pgw
[2012-01-06 09:19:47] xxx - - [06/Jan/2012:09:19:47 CET] "GET /production/certificate/xx HTTP/1.1" 404 30
[2012-01-06 09:19:47] - -> /production/certificate/pgw
[2012-01-06 09:19:47] xxx - - [06/Jan/2012:09:19:47 CET] "GET /production/certificate/xx HTTP/1.1" 404 30
[2012-01-06 09:19:47] - -> /production/certificate/pgw

The certificate file is not found.

debian puppet debian-squeeze

3 Answers

  1. I recommend you start the puppet agent as

    $ puppet agent --server=xxxx --test --debug

    this command will give you more details why it is failing. Also, you may need tgo allow more time for it to complete.

    You can also try to remove the certificate from sides if any (on master and agent respectively)

    puppet --cert --clean your_machine_name

rm -rf /etc/puppet/ssl
    • 1

  2. I ran into very similar problems when I first started with Puppet. The --server option was not being respected.

    Try adding an entry to your HOSTS file with the name of 'puppet' and the IP of your master box.

    If that works the following syntax works well (at least for version 2.7.5)

    [main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
server = puppetmaster.yourdomain.org
pluginsync = true

[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = puppetmaster.yourdomain.org
listen = true
    • 1

  3. Looks like you verified that the agent is getting to the master. Good first step.

    Next, as others have suggested, verify that the certificate wasn't signed and that you just didn't miss it:

    sudo puppet cert --list --all

    If you don't see it there, I'd clean everything up and start over.

    First, confirm that the date and time on both servers are in sync. You could force an NTP sync with something like ntpd -q -g, depending on your distro and NTP client.

    Then, run a clean on the puppet master:

    sudo puppet cert clean <agent hostname>

    On the agent, clean up all your SSL files:

    sudo rm -rf /var/puppet/ssl /var/lib/puppet/ssl/ /var/puppet/ssl

    Finally, run a test:

    sudo puppet agent --debug --test --server <master hostname>

    Hopefully, if this doesn't address the issue, this should yield you some clues as to where to look.

    • 1