Can’t create certificate for puppet agent

puppet

I'm trying to run both puppetmaster and agent on an Ubuntu Mate 15.10 vm.

My /etc/hosts contains the following relevant entries

127.0.0.1   localhost
127.0.1.1   ubuntu
127.0.1.1   ubuntu.localdomain

My /etc/puppet/puppet.conf contains the following entries

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
dns_alt_names=puppet,ubuntu.localdomain
server=ubuntu.localdomain

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY

I'm issuing the following commands

ps -ef|grep puppet
    [kill both master and agent if running]
sudo rm -rf /var/lib/puppet/ssl
sudo service puppetmaster start
sudo service puppet restart
sudo puppet agent -t

The last command returns

Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for ubuntu.localdomain
Info: Applying configuration version '1453930694'
Notice: Finished catalog run in 0.01 seconds

Now if I run sudo puppet cert list it doesn't show anything. Also issuing sudo puppet cert sign ubuntu.localdomain after it throws the following error

Error: Could not find certificate request for ubuntu.localdomain

What am I doing wrong? BTW I'm using puppet 3.7.2 and hostname -f returns ubuntu. But using this hostname in puppet.conf throws some error, so I'm appending it with .localdomain

Best Answer

After much hassle, I've found out a series of steps that works. I've tried it out couple of times, and it's working every time, so I'm posting the steps for creating one puppet master and one agent on two separate virtual machines for reference.

Assuming two vm, one for puppetmaster, one for puppetclient.

Server

sudo apt-get update
sudo sed -i 's/ubuntu/puppetmaster/g' /etc/hostname
sudo nano /etc/network/interfaces                                               //If no ip for puppetmaster is present, copy from 'ifconfig'
#ADD CLIENT AND SERVER IP'S TO /ETC/HOSTS
sudo nano /etc/hosts                                                            //Add client, server entries. Add puppetclient.localdomain as client
sudo apt-get install -y puppetmaster
sudo service puppetmaster stop
sudo rm -r /var/lib/puppet/ssl
sudo puppet cert list -a                                                        //Regenerate the CA. Should see "Notice: Signed certificate request for ca"
sudo puppet master --no-daemonize --verbose                                     //Generate the Puppet master’s new certs. When you see "Notice: Starting Puppet master <your Puppet version>", type CTRL + C.
sudo service puppetmaster start

Client

sudo apt-get update
sudo sed -i 's/ubuntu/puppetclient/g' /etc/hostname
sudo nano /etc/network/interfaces                                               //If no ip for puppetclient is present, copy from 'ifconfig'
sudo reboot
#ADD CLIENT AND SERVER IP'S TO /ETC/HOSTS                                       //Add client, server entries. Add puppetmaster.localdomain as master
sudo nano /etc/hosts
sudo apt-get install -y puppet
sudo nano /etc/puppet/puppet.conf                                               //See below for sample entry in conf file 
#sudo sed -i 's/no/yes/g' /etc/default/puppet                                   //Don't need
sudo service puppet stop
sudo rm -r /var/lib/puppet/ssl
sudo service puppet restart
sudo puppet agent --server puppetmaster.localdomain --waitforcert 20 --test     //Request for a cert from server

server

sudo puppet cert --list                                                         //Should show the client's cert
sudo puppet cert sign puppetclient.localdomain
sudo nano /etc/puppet/manifests/site.pp                                     

#add following to site.pp
file {  '/tmp/Demo':
    content => "Hooray!"
}

Client

sudo puppet agent --test

server

#Change content in site.pp and do a 'cat /tmp/Demo' on client. The modified entries in server side should be reflected on client.

FOR A CLEAN START: Remove all traces of the client on the server

sudo puppet node clean puppetclient.localdomain

Example /etc/hosts for client

127.0.0.1           localhost
127.0.1.1           puppetclient
192.168.112.129     puppetclient
192.168.112.130     puppetmaster.localdomain

Example /etc/hosts for server

127.0.0.1           localhost
127.0.1.1           puppetmaster
192.168.112.130     puppetmaster
192.168.112.129     puppetclient.localdomain

Example /etc/puppet/puppet.conf for client

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY

[agent]
server = puppetmaster.localdomain
runinterval = 5s

Related Solutions

Puppet – Not Signing Cert or Getting New Requests

Any open signing requests should be listed in puppet cert list on the master. If they don't show up there, there's no use trying to sign them. Once signed, they disappear from the list and will only show up in puppet cert list --all.

It appears your master is not receiving signing requests from the agent, since your list is empty There is a number of things that could be wrong. Let's start with these:

Is the master running?
Does the hostname 'puppet' or 'puppet.abc.com' resolve from the agent?
Is TCP port 8140 on the master reachable from the agent (try: telnet puppet 8140)?
What does syslog on the agent say?
Try puppet agent --test on the agent, which will attempt to connect to the master and stay in foreground to show the output.

Ssl – puppet server hostname does not match certificate – can’t authenticate.

It seems that you installed and ran your puppet master first and then changed the hostname.

On puppet master execute: puppet config print certname This will show the certname your master uses. It should be equal to your hostname.

You can verify common name in master's certificate if it matches your hostname:

openssl x509 -noout -subject -in $(puppet config print ssldir)/certs/$(puppet config print certname).pem

Also I recommend using FQDN in puppet configuration. If hostname differs the easiest way is just to remove or rename SSL dir:

mv $(puppet config print ssldir){,_}

And restart your puppet master. You'll need to do that on client node as well, because CA will change.

Best Answer

Assuming two vm, one for puppetmaster, one for puppetclient.

Server

Client

server

Client

server

FOR A CLEAN START: Remove all traces of the client on the server

Example /etc/hosts for client

Example /etc/hosts for server

Example /etc/puppet/puppet.conf for client

Related Solutions

Puppet – Not Signing Cert or Getting New Requests

Ssl – puppet server hostname does not match certificate – can’t authenticate.

Related Topic