I am not sure how to word the question, so here is the problem:
I have a brand new install of puppet-server and puppet using v2.6.16 and running on 2 nodes (puppet and puppet-agent, respectively) following the steps at http://docs.puppetlabs.com/guides/installation.html for a Linux box (CentOS).
On the puppet[-server] box, I issue puppetca -la and get back:
+ puppet (DB:50:1B:37:47:78:DA:F2:69:28:B7:E2:22:1B:C5:28) (alt names: DNS:puppet, DNS:puppet.abc.com)
(note that puppet-agent is not listed) … also, no puppet instances are listed with puppet cert list
When signing the box with puppetca --sign puppet, I get:
err: Could not call sign: Could not find certificate request for puppet
Same with puppetca --sign puppet.abc.com
There is a puppet.pem in the private_keys and certs directory. The certificate_requests directory is empty. Auto-signing is off.
I'd be happy to supply any additional information and would appreciate any assistance.
The puppet.conf on both machines is as follows, sans comments:
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
vardir = /var/lib/puppet
factpath = $vardir/lib/facter
ssldir = $vardir/ssl
server = puppet.abc.com
dns_alt_names = puppet, puppet.abc.com
pluginsync = true
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
[master]
templatedir = var/lib/puppet/templates
EDIT DUE TO COMMENTS
- Master is running
- Agent can contact master via hostname
- Agent CANNOT telnet to 8140 on master — master is listening on 0.0.0.0:8140 with iptables and selinux off
- May 14 13:40:13 puppet-agent puppet-agent[25920]: (/File[/var/lib/puppet/lib]) Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
May 14 13:40:13 puppet-agent puppet-agent[25920]: (/File[/var/lib/puppet/lib]) Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://puppet.abc.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
May 14 13:40:14 puppet-agent puppet-agent[25920]: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed - puppet agent –test yields:
dnsdomainname: Unknown host
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://puppet.abc.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
dnsdomainname: Unknown host
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
May 14 13:40:14 puppet-agent puppet-agent[25920]: Using cached catalog - netstat produces ruby/puppet in a LISTEN state and the agent in a TIME_WAIT
Best Answer
Any open signing requests should be listed in
puppet cert liston the master. If they don't show up there, there's no use trying to sign them. Once signed, they disappear from the list and will only show up inpuppet cert list --all.It appears your master is not receiving signing requests from the agent, since your list is empty There is a number of things that could be wrong. Let's start with these:
telnet puppet 8140)?puppet agent --teston the agent, which will attempt to connect to the master and stay in foreground to show the output.