Generating and signing certificates in puppet version 5

centos7certificate-authoritypuppetpuppetmaster

I am trying to install and configure puppet 5.3.2 on two identical Linux machines running Centos 7 (one being a master and the other being an agent). I have managed to install the puppet from the official repository on both and added the following.

Master node in /etc/hosts

127.0.0.1                 <master hostname>
<master node ipaddress>   puppet, <master node hostname>
<agent node ipaddress>    <agent node hostname>

Agent node in /etc/hosts

127.0.0.1                 <agent hostname>
<master node ipaddress>   puppet, <master node hostname>
<agent node ipaddress>    <agent node hostname>

Master node in /etc/puppetlabs/puppet/puppet.conf

[master]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
dns_alt_names = puppet, <master node hostname>
certname = puppet

Agent node in/etc/puppetlabs/puppet/puppet.conf

server = puppet, <master node hostname>

The puppet server starts successfully. However, I still need to generate and sign the appropriate certificates for both master and agent. For this firstly, I make sure the puppetserver is stopped on the puppet master node, and then on the puppet master node I issue:

sudo /opt/puppetlabs/bin/puppet cert list -a

I see a SHA256 certificate.

Now, I do not know how to proceed further. Any inputs would be highly appreciated.

Best Answer

I was able to get this working. Basically, when the puppet server is started initially, the certificate is generated and this can be viewed by

sudo /opt/puppetlabs/bin/puppet cert list -a

Next on the agent node, stop the puppet agent using the below if the agent is running (this can be found by systemctl status puppet

systemctl stop puppet

Create a certificate on the puppet agent which need to be signed by the puppet master. The certificate can be generated by:

/opt/puppetlabs/bin/puppet agent -t

On the master node, the agent certificate can be viewed by

/opt/puppetlabs/puppet cert list -a

The agent certificate should be signed now, for that

/opt/puppetlabs/puppet cert sign <puppet agent hostname>

Once the certificate is signed, this needs to be verified. However, before it is verified, the puppet agent should be up and running.

systemctl start puppet
systemctl enable puppet
/opt/puppetlabs/bin/puppet agent --fingerprint #certificate verification

1. manually generate the certifcate for the master

puppet ca generate --dns_alt_names puppet [master-name/uuid/string/etc]

2. set dns_alt_names in puppet.conf

add dns_alt_names = puppet to the master (and the master only) before you run puppet master or puppet (causing the certs to be generated)

Now with an /etc/hosts or dns entry connecting to 'puppet' will work just fine.

The other error related to plugins is a bug about having pluginsync enabled but no plugins available to sync.

Puppet – Not Signing Cert or Getting New Requests

Any open signing requests should be listed in puppet cert list on the master. If they don't show up there, there's no use trying to sign them. Once signed, they disappear from the list and will only show up in puppet cert list --all.

It appears your master is not receiving signing requests from the agent, since your list is empty There is a number of things that could be wrong. Let's start with these:

Is the master running?
Does the hostname 'puppet' or 'puppet.abc.com' resolve from the agent?
Is TCP port 8140 on the master reachable from the agent (try: telnet puppet 8140)?
What does syslog on the agent say?
Try puppet agent --test on the agent, which will attempt to connect to the master and stay in foreground to show the output.

Best Answer

Related Solutions

Puppet Cert Mismatch – Resolving Issues in EC2

1. manually generate the certifcate for the master

2. set dns_alt_names in puppet.conf

Puppet – Not Signing Cert or Getting New Requests

Related Topic