I'm trying to setup puppet for the first time.
I've ensured port 8140
and 22
are open using ufw
.
Both the server and agent are running. Before starting the agent I edited /etc/puppet/puppet.conf
by adding:
[agent]
server=174.89.xyz.abc
I also did the above for /etc/puppetlabs/puppet/puppet.conf
, not sure if I should have both, when I run puppet --version
, I get back 4.10
.
Agent server's IP is set to that of master-server.
I run puppet cert list
expecting to see a request from the agent, which I pointed at my laptop, but I don't see any requests.
I'm not sure what to do next to figure out why the agent doesn't connect.
Edit:
I ran puppet agent --test
which returned:
Info: Creating a new SSL key for ip-172-00-00-00.us-west-2.compute.internal
Error: Could not request certificate: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known)
Exiting; failed to retrieve certificate and waitforcert is disabled
I've ensured my laptop is in the DMZ and can successfully ping it from the agent server.
Update:
@DylanKnoll pointed out that the default value for server was puppet, so it may not accept ip addresses. I found some more documentation on what puppet aliased to here. I then removed the configuration above and added this line to /etc/hosts
:
174.89.000.000 puppet
After this change the error I received changed. So they seem to be making a connection. I'm still using an IP address so maybe I will need a domain name to get a proper ssl connection (?)
Error message:
Error: Could not request certificate: The CSR retrieved from the master does not match the agent's public key.
CSR fingerprint: BF:43:71:72:86:45:76:E9:34:20:24:71:B6:0C:88:25:3A:67:5E:C4:84:D5:E0:22:C9:1A:9E:FD:98:C1:0D:3C
CSR public key: Public-Key: (4096 bit)
Modulus:
00:b7:bd:de:db:24:50:01:95:ad:10:af:83:6e:c5:
# lines removed
35:e9:17:40:46:09:31:96:d6:68:ca:15:9e:be:41:
85:6c:eb
Exponent: 65537 (0x10001)
Agent public key: Public-Key: (4096 bit)
Modulus:
00:b0:21:80:23:d5:a5:26:37:ea:68:02:99:d5:85:
# lines removed
3d:92:e1
Exponent: 65537 (0x10001)
To fix this, remove the CSR from both the master and the agent and then start a puppet run, which will automatically regenerate a CSR.
On the master:
puppet cert clean ip-172-31-27-12.us-west-2.compute.internal
On the agent:
1a. On most platforms: find /home/ubuntu/.puppetlabs/etc/puppet/ssl -name ip-172-31-27-12.us-west-2.compute.internal.pem -delete
1b. On Windows: del "\home\ubuntu\.puppetlabs\etc\puppet\ssl\certs\ip-172-31-27-12.us-west-2.compute.internal.pem" /f
2. puppet agent -t
Best Answer
Did you run
puppet agent --test
on the agent to generate (and send) the initial cert request? That should put the agent in the certificate request list of your master.If the agent's just complaining about not finding a cert then quitting, it may be thinking that it's already sent a request - just reset its memory as far as SSL is concerned by backing up then nuking the configured puppet SSL directory (by default,
/var/lib/puppet/ssl
or/etc/puppetlabs/puppet/ssl
), then runningpuppet agent --test
(with--debug
and--verbose
if you want to make really sure) - this run should output that it's generating a new cert request, and it should be sent to the configured master.