Hi: I'm trying to configure Puppet on Ubuntu, and strangely I am never able to generate a certificate because my server never shows any pending certificate requests.
Put differently, on the server I am running puppetmasterd and on the client I am able to connect to the server, but the client continues printing
notice: Did not receive certificate
warning: peer certificate won't be verified in this SSL session
and yet the server never sees the request
mrisher@lab2$ puppetca --list
[nothing shows up]
mrisher@lab2$ puppetca --sign clientname.domain.com
clientname.domain.com
err: Could not call sign: Could not find certificate request for clientname.domain.com
Edit: There was a suggestion that autosign was happening, but that does not seem to be it. There is no autosign.conf
file, and when I run puppetmasterd --no-daemonize -d -v
I receive the following output:
info: Could not find certificate for 'clientname.domain.com'
every time the client says
notice: Did not receive certificate
I checked the certs on the server and there don't seem to be any:
mrisher@lab2:~$ puppetca --list --all
mrisher@lab2:~$ sudo puppetca --list --all
+ lab2.domain.com // this is the server (master)
mrisher@lab2:~$ sudo puppetca --list
[blank line]
mrisher@lab2:~$
Note: This is mostly running the default install from Ubuntu, if that gives any leads.
Thanks for any help out there.
EDIT It appears this was due to inconsistently running puppetd
as different users. For reasons I don't really understand for a daemon, puppet stores some of its settings — including the certificates — in ~/.puppet rather than a central directory like /var/lib/puppet
, and thus it matters if you're testing as yourself versus sudo.
Best Answer
Did your certificate request ever make it to the server? (Use the value of
puppetmasterd --configprint ssldir
where I've written$ssldir
here)Under
$ssldir/ca
there should be a directory structure like this:And under
requests
, if your client's request actually made it up, you should see a file namedclientname.domain.com.pem
. If it's there and needs signing, you can point puppetca at it directly by specifyingpuppetca --ssldir=/path/to/ssldir --sign clientname.domain.com
; if it's NOT there, the client's CSR upload might have silently failed. An easy (and secure) workaround is to usepuppetca --generate clientname.domain.com
on your puppetmaster to make a keypair and signed certificate for the clients. An easy and insecure workaround is to turn on autosigning for your domain by dropping '*.domain.com' into autosign.conf on the puppetmaster's$confdir
.