Could not call sign: Could not find certificate request for puppet

amazon ec2amazon-web-servicespuppet

I'm getting started with puppet on ec2 using the following guide.

https://help.ubuntu.com/12.04/serverguide/puppet.html

In the very last step when I try to sign the puppet client from the puppet master I get the following error

root@ip-10-248-27-66:/home/ubuntu# puppetca --sign ec2-54-245-56-210.us-west-2.compute.amazonaws.com
err: Could not call sign: Could not find certificate request for ec2-54-245-56-210.us-west-2.compute.amazonaws.com

Here is the output of /etc/hosts on the puppetmaster

127.0.0.1 localhost puppetmaster
10.248.34.162 ec2-54-245-56-210.us-west-2.compute.amazonaws.com puppet

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Here is the output of /etc/hosts on the puppet client

127.0.0.1 localhost
10.248.27.66 ec2-50-112-220-110.us-west-2.compute.amazonaws.com puppetmaster

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

I followed the troubleshooting advice here https://serverfault.com/a/388973/85577

Is the master running?

root@ip-10-248-27-66:/home/ubuntu# service puppetmaster status
 * master is running

Does the hostname 'puppet' or 'puppet.abc.com' resolve from the agent?

How would I check this? Do I simply telnet to puppetmaster on port 8140 (the host command does not resolve it but the telnet command does)?

root@ip-10-248-34-162:/home/ubuntu# host puppetmaster
Host puppetmaster not found: 3(NXDOMAIN)

Is TCP port 8140 on the master reachable from the agent (try: telnet puppet 8140)?

root@ip-10-248-34-162:/home/ubuntu# telnet puppetmaster 8140
Trying 10.248.27.66...
Connected to ec2-50-112-220-110.us-west-2.compute.amazonaws.com.
Escape character is '^]'.

What does syslog on the agent say?

Apr 11 17:57:41 ip-10-248-34-162 puppet-agent[3897]: Could not request certificate: getaddrinfo: Name or service not known

Try puppet agent –test on the agent, which will attempt to connect to the master and stay in foreground to show the output.

root@ip-10-248-34-162:/home/ubuntu# puppet agent --test
err: Could not request certificate: getaddrinfo: Name or service not known
Exiting; failed to retrieve certificate and waitforcert is disabled

EDIT

Thanks dawud so the entries in /etc/hosts are correct per this command

$ getent hosts puppetmaster
10.248.27.66 ec2-50-112-220-110.us-west-2.compute.amazonaws.com puppetmaster

however when I try this I get an error

$ puppet agent --test --waitforcert 5
err: Could not request certificate: Connection refused - connect(2)
err: Could not request certificate: Connection refused - connect(2)

Best Answer

Check that both the puppetmaster and the client machine can resolve the FQDN of the puppetmaster. For this to work, you need to add the puppetmaster IP to your /etc/hosts in both machines, then check it using:

$ ping puppetmaster or $ getent hosts puppetmaster

Check that you can reach the puppetmaster from the client machine

$ telnet puppetmaster 8140

If you get connection refused by the server, check that the port is opened in the puppetmaster

# iptables -L -n -v

Or add a rule to allow incoming traffic to that port (this is dependent on how is iptables already configured)

# iptables -A INPUT -p tcp --dport 8140 -m state --state NEW -j ACCEPT

And run from the client

# puppet agent --test --waitforcert 5

Afterwards, from the puppetmaster

# puppet cert list

will show you the cert ready to be sign, you can check it belongs to the client machine comparing the fingerprint. Sign it:

# puppet cert sign $client

Puppetmaster will compile a catalog for the client and you can follow how it is applied in the client console.

To regenerate the certificates on the puppetmaster, stop the ppuppetmaster and

# find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete

When you start the puppetmaster again, it will regenerate the certificate for you.

On the client side, it is enough to remove the conttents of the ssldir, usually /var/lib/puppet/ssl, but check as above, the next time you invoke

# puppet agent --test --waitforcert 5

it will be recreated.

Eventually, check the CN of the certificate of the puppetmaster with

# puppet cert list --all

and match any of the names/ALT names to the entry in your /etc/hosts.

1. manually generate the certifcate for the master

puppet ca generate --dns_alt_names puppet [master-name/uuid/string/etc]

2. set dns_alt_names in puppet.conf

add dns_alt_names = puppet to the master (and the master only) before you run puppet master or puppet (causing the certs to be generated)

Now with an /etc/hosts or dns entry connecting to 'puppet' will work just fine.

The other error related to plugins is a bug about having pluginsync enabled but no plugins available to sync.

Best Answer

Related Solutions

Can’t launch glassfish on ec2 – can’t open port

Puppet Cert Mismatch – Resolving Issues in EC2

1. manually generate the certifcate for the master

2. set dns_alt_names in puppet.conf

Related Topic