Hi,
I'm getting the below error when running "puppet agent --test" after locking down a node, in order to test changes from my local puppetmaster (I SSH'd from my Puppetmaster, binding the 8140 port).
root@node1 ~]# puppet agent --test
err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key
Exiting; failed to retrieve certificate and waitforcert is disabled
Any insight on why this is happening?
Regards.
↧
err: Could not request certificate: Retrieved certificate does not match private key
↧
Error: Could not request certificate: Connection refused - connect(2) for "puppet" port 8140
I am new to puppet I am configuring connecting between puppet master "puppet"
I have edited the host file on agent & client as well as I have edited the puppet.conf on agent node to resolve the master.
I can ping in between both servers.
I checked on master for cert list but there were no requests.
But still I am getting this error.
How can fix this?
My configuration is :
Puppet master is :
Name: puppet,
Agent: centos
Both are on VM
↧
↧
master certificate deleted accidently
Team,
We have 300+ nodes in our environment. I accidently cleaned the puppet master certificate (puppet cert --clean puppetmaster), but there was a backup for the master server, so i could restore the following certs
/var/lib/puppet/ssl/certs/puppetmaster.xxxx.com.pem
/var/lib/puppet/ssl/ca/signed/puppetmaster.xxxx.com.pem
/var/lib/puppet/ssl/private_keys/puppetmaster.xxxx.com.pem
After restore certificate status shows,
- "puppermaster.xxxx.com" (SHA256) 5B:10:6A:27:96:7C:BD:19:E9:BD:20:26:0F:E9:77:01:E0:EB:8D:65:94:3C:D5:E4:82:8D:1C:07:87:E1:4A:43 (certificate revoked)
Now i couldn't add new nodes and nodes throwing following error
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=puppetmaster.xxxx.com]
How i can resolve the issue without generating new cert for master?
Do i need to sign again or restart the master and try?
↧
Could not request certificate: getaddrinfo: Name of service not known
Hi guys, I've recently installed PE 2016 on an EC2 Instance. After the installation is complete I followed the steps on puppet docs:
- Click Add class. (Adding the Ubuntu 14.04 OS under the PE master group)
- Click Commit 1 change.
Note: The class you selected now appears in the list of classes for the PE Master group, but it has not yet been configured on your nodes. For that to happen, you need to kick off a Puppet run.
- From the command line on the Puppet master, run puppet agent -t.
The last line, run puppet agent -t doesn't work for me, I've been stuck on trying to figure out for a long time :/
I get the error;
Error: Could not request certificate: getaddrinfo: Name or service not known
Exiting; failed to retrieve certificate and waitforcert is disabled
↧
Puppet Enterprise - no certificate request
Hey all,
I'm trying to build a proof of concept using the installation and training material product by puppet.
I've got all of the roles :- master, puppetdb and puppet console running on one node. I can connect to the console web interface from other computers.
I've got the agent installed on a seperate vm. The hosts files for both systems have entries for either host.
The installation ran on both machines without any trouble, however, after installing the agent on the agent vm, no certificate request has been sent to the console web interface.
I've also tried this from a seperate windows VM and had the same problem - I really can't get this to work.
Please note I do not have a DNS server, but I am using raw IP's in the hosts file
↧
↧
Can I use puppet as an Intermediate CA?
I have installed an Internal-Root signed certificate on my Puppet Master under `$ssldir/ca/ca_crt.pem` in hopes that my Puppet managed nodes will have a certificate chain that can be resolved by following the chain back to a root CA.
In other words I want a chain of trust that looks like this: ROOT-CA ---> Puppet Master (Intermediate CA) ---> Agent Node
**Here** is the tricky part: My Puppet Master gives correctly signed certs to the Agents, *but* when the Agents run `puppet agent -t`, they have issues fetching the node definition. I get warnings like this one:
```
Warning: Unable to fetch my node definition, but the agent run will continue:
```
````
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=mypuppetmaster]
```
```
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=mypuppetmaster]
```
I was able to get this setup working using the deprecated `puppet master` daemon, but not with `puppetserver`.
I am using puppetserver 2.5.0 with puppet 4.6.1 on my master. My agent is running puppet 4.4.2.
↧
Errors when adding CA cert to inventory.txt
We use Puppet extensively at Logicworks, and we've run into an issue in the automated build process for our Puppet masters, and I've isolated it to an issue with OpenSSL serials failing to be converted to integers.
We use the official Puppet modules to install our Puppetmasters using `puppet apply` via the AWS EC2 UserData script. We've deployed hundreds of PMs this way, but have recently started having an issue when boostrapping the PM.
Because puppet apply is also responsible for setting the hostname, and because the $hostname fact doesn't get updated until the next Puppet run, we generate our master cert first before installing the necessary configuration files via the "puppet-puppet" module.
exec { "puppetmaster-cert":
command => "/usr/bin/puppet cert --generate --dns_alt_names ${dns_alt_names} ${aws::bootstrap::instance_fqdn}",
creates => "/var/lib/puppet/ssl/certs/${aws::bootstrap::instance_fqdn}.pem"
}
class { '::puppet':
server => true,
puppetmaster => $aws::bootstrap::puppetmaster_hostname,
agent_template => "aws/bootstrap/puppet.erb.conf",
server_certname => $aws::bootstrap::instance_fqdn,
server_foreman_url => "https://${aws::bootstrap::instance_fqdn}",
server_foreman_ssl_cert => "/var/lib/puppet/ssl/certs/${aws::bootstrap::instance_fqdn}.pem",
server_foreman_ssl_key => "/var/lib/puppet/ssl/private_keys/${aws::bootstrap::instance_fqdn}.pem",
require => Exec['puppetmaster-cert']
}
However, for some reason Exec["puppetmaster-cert"] is failing with an exit code 23 (and no error at all). After much research, we found that the error is being raised here in **puppet/ssl/inventory.rb**, line 12:
# Add a certificate to our inventory.
def add(cert)
cert = cert.content if cert.is_a?(Puppet::SSL::Certificate)
Puppet.settings.setting(:cert_inventory).open("a") do |f|
f.print format(cert) # <========================= Line 12
end
end
# Format our certificate for output.
def format(cert)
iso = '%Y-%m-%dT%H:%M:%S%Z'
# Exception is raised here ---v
"0x%04x %s %s %s\n" % [cert.serial, cert.not_before.strftime(iso), cert.not_after.strftime(iso), cert.subject]
end
When the ca cert gets added to inventory.txt, cert.serial is interpolated in the string as integer, and we get this error/traceback:
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `to_i'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `%'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `format'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:13:in `block in add'
/usr/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:26:in `open'
/usr/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:26:in `open'
/usr/lib/ruby/vendor_ruby/puppet/file_system.rb:40:in `open'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:197:in `block in open'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:231:in `block (2 levels) in controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/util.rb:57:in `withumask'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:221:in `block in controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/util/suidmanager.rb:72:in `asuser'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:219:in `controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:196:in `open'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:12:in `add'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:311:in `sign'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:148:in `generate_ca_certificate'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:270:in `setup'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:161:in `initialize'
/usr/lib/ruby/vendor_ruby/puppet/application/cert.rb:248:in `new'
/usr/lib/ruby/vendor_ruby/puppet/application/cert.rb:248:in `setup'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `block (2 levels) in run'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:507:in `plugin_hook'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `block in run'
/usr/lib/ruby/vendor_ruby/puppet/util.rb:496:in `exit_on_fail'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `run'
/usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:146:in `run'
/usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:92:in `execute'
/usr/bin/puppet:8:in `'
If I go in with Pry, I can see the following details:
[4] pry(#)> cert.serial.to_i
OpenSSL::BNError:
from (pry):2:in `to_i'
I'm really at a loss as to what to do next. Nothing has changed in our process in weeks, and we verified all the relevant version info.
* Puppet Community Edition 3.8.7
* Foreman 1.8
* Ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux]
* OpenSSL 1.0.1f 6 Jan 2014
* Ubuntu 14.04
Has anyone ever encountered anything like this?
↧
How do I configure Puppet Agent on a Windows server?
How do I configure a Windows server to be a Puppet Agent server?
I am running Puppet Enterprise 4.x on CentOS 7 and Puppet Agent 3.7.4 on Windows Server 2012. I am trying to set this up for the first time. I know that there are no ports being blocked from the Puppet Master server to the Puppet Agent server.
When I run the `puppet agent -t x.x.x.x` command (from a Windows PowerShell window opened as administrator), I get this error:
> Warning: Unable to fetch my node> definition... x.x.x.x did not match> server certificate...Failed to> generate additional resources using> 'eval_generate' ... did not match> server certificate: expected one of> ...
The puppet.conf file looked fine. On the Puppet Master server I ran "puppet cert list --all" shows the Puppet agent server has been signed.
I can ping the Puppet Agent server from the Puppet Master. I can ping the Puppet Master server from the Puppet Agent. The GUI of Puppet shows a message "Run Puppet has been disabled because Node Manager cannot connect to ."
Why do I get the error above when I run the Puppet agent command?
↧
Windows Puppet agent refusing to register with the puppet master
I'm attempting to begin to test the waters and learn to use Puppet. My main goal is to learn how it use Puppet in conjunction with a Windows server. To this end I've made a pair of VMs; a CentOS 7 VM and a Svr 2012 R2 VM.
I've installed puppet onto the CentOS server, and as far as I can tell it seems to be working properly.
I've installed the puppet agent onto the Windows box, however I'm getting nowhere. The puppet master is reachable via DNS at tdsptcppup01.domain.lc, and is reachable from the Windows server if I try to telnet to port 8140. However, when I try to get started on getting the cert for the agent I am stuck here:
C:\Windows\system32>puppet agent --server tdsptcppup01.domain.lc --waitforcert 60 --test
Notice: Did not receive certificate
Notice: Did not receive certificate
Notice: Did not receive certificate
At this point I run "puppet cert --list" on the master, but am not getting anything in the results. It's as if the cert request simply isn't making it to the master at all.
I've tried checking that the agent is presenting the correct certname (puppet config print certname), I've tried restarting services / VMs on both sides, I've tried deleting the C:\ProgramData\PuppetLabs\puppet\etc\ssl directory and regenerating it, and cannot get past this spot.
What could I be missing?
↧
↧
Regenerate puppet CA on puppet 2.7!
Hi,
Still running an old puppet master and need to regenerate the CA, it is running under passenger so the webbrick server is not running.
I'm reading through these instructions - [https://docs.puppet.com/puppet/3.6/ssl\_regenerate\_certificates.html](https://docs.puppet.com/puppet/3.6/ssl_regenerate_certificates.html). I'm not sure they make sense for this setup first of all the puppet service is not running as it is passenger and also because the version is older.
I think the instructions would be similar it is just that I need to stop httpd and to get the puppet master new certificate run puppet in noop. Would that be right?
Thanks
↧