Can’t connect puppet agent to master

I'm trying to setup puppet for the first time.

I've ensured port 8140 and 22 are open using ufw.

Both the server and agent are running. Before starting the agent I edited /etc/puppet/puppet.conf by adding:

[agent]
server=174.89.xyz.abc

I also did the above for /etc/puppetlabs/puppet/puppet.conf, not sure if I should have both, when I run puppet --version, I get back 4.10.

Agent server's IP is set to that of master-server.

I run puppet cert list expecting to see a request from the agent, which I pointed at my laptop, but I don't see any requests.

I'm not sure what to do next to figure out why the agent doesn't connect.

Edit:

I ran puppet agent --test which returned:

Info: Creating a new SSL key for ip-172-00-00-00.us-west-2.compute.internal
Error: Could not request certificate: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known)
Exiting; failed to retrieve certificate and waitforcert is disabled

I've ensured my laptop is in the DMZ and can successfully ping it from the agent server.

Update:

@DylanKnoll pointed out that the default value for server was puppet, so it may not accept ip addresses. I found some more documentation on what puppet aliased to here. I then removed the configuration above and added this line to /etc/hosts:

174.89.000.000 puppet

After this change the error I received changed. So they seem to be making a connection. I'm still using an IP address so maybe I will need a domain name to get a proper ssl connection (?)

Error message:

Error: Could not request certificate: The CSR retrieved from the master does not match the agent's public key.
CSR fingerprint: BF:43:71:72:86:45:76:E9:34:20:24:71:B6:0C:88:25:3A:67:5E:C4:84:D5:E0:22:C9:1A:9E:FD:98:C1:0D:3C
CSR public key: Public-Key: (4096 bit)
Modulus:
    00:b7:bd:de:db:24:50:01:95:ad:10:af:83:6e:c5:
    # lines removed
    35:e9:17:40:46:09:31:96:d6:68:ca:15:9e:be:41:
    85:6c:eb
Exponent: 65537 (0x10001)

Agent public key: Public-Key: (4096 bit)
Modulus:
    00:b0:21:80:23:d5:a5:26:37:ea:68:02:99:d5:85:
    # lines removed
    3d:92:e1
Exponent: 65537 (0x10001)

To fix this, remove the CSR from both the master and the agent and then start a puppet run, which will automatically regenerate a CSR.
On the master:
  puppet cert clean ip-172-31-27-12.us-west-2.compute.internal
On the agent:
  1a. On most platforms: find /home/ubuntu/.puppetlabs/etc/puppet/ssl -name ip-172-31-27-12.us-west-2.compute.internal.pem -delete
  1b. On Windows: del "\home\ubuntu\.puppetlabs\etc\puppet\ssl\certs\ip-172-31-27-12.us-west-2.compute.internal.pem" /f
  2. puppet agent -t

Best Answer

Did you run puppet agent --test on the agent to generate (and send) the initial cert request? That should put the agent in the certificate request list of your master.

If the agent's just complaining about not finding a cert then quitting, it may be thinking that it's already sent a request - just reset its memory as far as SSL is concerned by backing up then nuking the configured puppet SSL directory (by default, /var/lib/puppet/ssl or /etc/puppetlabs/puppet/ssl), then running puppet agent --test (with --debug and --verbose if you want to make really sure) - this run should output that it's generating a new cert request, and it should be sent to the configured master.

Best Answer

Related Solutions

Linux – Can’t run puppet device (Could not request certificate: Could not write to… privatekeydir)

Puppet run command on master

Related Topic