7

I'm getting started with puppet on ec2 using the following guide.

https://help.ubuntu.com/12.04/serverguide/puppet.html

In the very last step when I try to sign the puppet client from the puppet master I get the following error

root@ip-10-248-27-66:/home/ubuntu# puppetca --sign ec2-54-245-56-210.us-west-2.compute.amazonaws.com
err: Could not call sign: Could not find certificate request for ec2-54-245-56-210.us-west-2.compute.amazonaws.com

Here is the output of /etc/hosts on the puppetmaster

127.0.0.1 localhost puppetmaster
10.248.34.162 ec2-54-245-56-210.us-west-2.compute.amazonaws.com puppet

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Here is the output of /etc/hosts on the puppet client

127.0.0.1 localhost
10.248.27.66 ec2-50-112-220-110.us-west-2.compute.amazonaws.com puppetmaster

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

I followed the troubleshooting advice here https://serverfault.com/a/388973/85577

Is the master running?

root@ip-10-248-27-66:/home/ubuntu# service puppetmaster status
 * master is running

Does the hostname 'puppet' or 'puppet.abc.com' resolve from the agent?

How would I check this? Do I simply telnet to puppetmaster on port 8140 (the host command does not resolve it but the telnet command does)?

root@ip-10-248-34-162:/home/ubuntu# host puppetmaster
Host puppetmaster not found: 3(NXDOMAIN)

Is TCP port 8140 on the master reachable from the agent (try: telnet puppet 8140)?

root@ip-10-248-34-162:/home/ubuntu# telnet puppetmaster 8140
Trying 10.248.27.66...
Connected to ec2-50-112-220-110.us-west-2.compute.amazonaws.com.
Escape character is '^]'.

What does syslog on the agent say?

Apr 11 17:57:41 ip-10-248-34-162 puppet-agent[3897]: Could not request certificate: getaddrinfo: Name or service not known

Try puppet agent --test on the agent, which will attempt to connect to the master and stay in foreground to show the output.

root@ip-10-248-34-162:/home/ubuntu# puppet agent --test
err: Could not request certificate: getaddrinfo: Name or service not known
Exiting; failed to retrieve certificate and waitforcert is disabled

EDIT

Thanks dawud so the entries in /etc/hosts are correct per this command

$ getent hosts puppetmaster
10.248.27.66 ec2-50-112-220-110.us-west-2.compute.amazonaws.com puppetmaster

however when I try this I get an error

$ puppet agent --test --waitforcert 5
err: Could not request certificate: Connection refused - connect(2)
err: Could not request certificate: Connection refused - connect(2)
Community
  • 1
user784637
  • 1,542
  • 7
  • 35
  • 52

3 Answers3

11

Check that both the puppetmaster and the client machine can resolve the FQDN of the puppetmaster. For this to work, you need to add the puppetmaster IP to your /etc/hosts in both machines, then check it using:

$ ping puppetmaster or $ getent hosts puppetmaster

Check that you can reach the puppetmaster from the client machine

$ telnet puppetmaster 8140

If you get connection refused by the server, check that the port is opened in the puppetmaster

# iptables -L -n -v

Or add a rule to allow incoming traffic to that port (this is dependent on how is iptables already configured)

# iptables -A INPUT -p tcp --dport 8140 -m state --state NEW -j ACCEPT

And run from the client

# puppet agent --test --waitforcert 5

Afterwards, from the puppetmaster

# puppet cert list

will show you the cert ready to be sign, you can check it belongs to the client machine comparing the fingerprint. Sign it:

# puppet cert sign $client

Puppetmaster will compile a catalog for the client and you can follow how it is applied in the client console.

To regenerate the certificates on the puppetmaster, stop the ppuppetmaster and

# find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete

When you start the puppetmaster again, it will regenerate the certificate for you.

On the client side, it is enough to remove the conttents of the ssldir, usually /var/lib/puppet/ssl, but check as above, the next time you invoke

# puppet agent --test --waitforcert 5

it will be recreated.

Eventually, check the CN of the certificate of the puppetmaster with

# puppet cert list --all

and match any of the names/ALT names to the entry in your /etc/hosts.

dawud
  • 15,096
  • 3
  • 42
  • 61
  • Thanks dawud, I added the puppetmaster into `/etc/hosts` on both machines like so `10.248.27.66 ec2-50-112-220-110.us-west-2.compute.amazonaws.com puppetmaster` but `dig puppetmaster` does not resolve. Only `dig ec2-50-112-220-110.us-west-2.compute.amazonaws.com` resolves. Also I'm getting a syntax error on `# puppet agent --test --waitforcert`. Any advice on how to proceed? – user784637 Apr 11 '13 at 19:20
  • I have corrected the syntax of the command, also, try `ping` or `getent` to resolve the puppetmaster address – dawud Apr 11 '13 at 19:26
  • Thanks dawud, I'm still getting an error, can you see my edit (I added the error messages to the bottom of my original question)? Could it a private key signing issue? – user784637 Apr 11 '13 at 19:43
  • New edit, please check – dawud Apr 11 '13 at 19:55
  • I can telnet on port 8140 into the puppet master from the client and resolve using getent (see original post). However I am still getting the same exact error `err: Could not request certificate: Connection refused - connect(2)` when running `$ puppet agent --test --waitforcert 5`. Any ideas what else I could try? – user784637 Apr 11 '13 at 20:13
  • I have added some simple steps to recreate the certs in both sides – dawud Apr 11 '13 at 20:27
  • Thanks again. So here's where I am stuck. I stopped the puppet master, regenerated the certs and started it again but when I run `puppet cert list` nothing comes up. I'm confused about the whole certificate issue. I spun up 2 fresh ec2 instances. Am I supposed to upload the `.pem` files to each of them? Where do I put them and how do I initialize them? – user784637 Apr 11 '13 at 21:15
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/8303/discussion-between-dawud-and-user784637) – dawud Apr 11 '13 at 21:26
  • hey there. I just wanted to follow up and mention that I think the problem was in fact with the configuration of the `/etc/hosts` file (not quite sure what I did wrong, I tripled checked everything). by default `puppet agent` uses `puppet` as the default argument to `--server` but I didn't experience any problems when I explicitly set the `--server` argument to the FQDN of my puppetmaster. – user784637 Apr 13 '13 at 23:47
1

One of things noted in discussion here and not mentioned in previous is answer is that sometimes ports can behave strangely. In my case inspite of having the port 8140 opened in iptables, I was getting errors of not being able to connect. What helped me is following commands:

iptables -F
service service iptables save

Of course use sudo if above command fail with your user. I even added the above two commands in the provisionoing script of the box so that if I halt/recreate the boxes - the iptables is flushed.

vishal.biyani
  • 121
  • 3
  • The above answer seems to be correct if you have a network issue and not issue related to puppet installation and configuration. – Its not blank Mar 28 '16 at 09:44
0

I faced the same issues and resolved it with some different tweaks.

Same error:

[root@puppetclient puppet]# puppet agent --server yogesh.puppet.com
--no-daemonize --verbose Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140 Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140 Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140 Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140

I tried every thing Iptables, ports, firewalls, agent-reinstallation (not master). Then I started to look more and found something in the log files as:

I, [2016-04-27T23:21:55.118997 #1745]  INFO -- : activemq.rb:139:in `on_ssl_connecting' Establishing SSL session with stomp+ssl://mcollective@yogesh.puppet.com:61613
E, [2016-04-27T23:21:55.131678 #1745] ERROR -- : activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@yogesh.puppet.com:61613 failed: SSL_CTX_use_PrivateKey: key values mismatch
I, [2016-04-27T23:21:55.132438 #1745]  INFO -- : activemq.rb:129:in `on_connectfail' TCP Connection to stomp+ssl://mcollective@yogesh.puppet.com:61613 failed on attempt 36
I, [2016-04-27T23:22:25.141892 #1745]  INFO -- : activemq.rb:139:in `on_ssl_connecting' Establishing SSL session with stomp+ssl://mcollective@yogesh.puppet.com:61613
E, [2016-04-27T23:22:25.144644 #1745] ERROR -- : activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@yogesh.puppet.com:61613 failed: SSL_CTX_use_PrivateKey: key values mismatch
I, [2016-04-27T23:22:25.144836 #1745]  INFO -- : activemq.rb:129:in `on_connectfail' TCP Connection to stomp+ssl://mcollective@yogesh.puppet.com:61613 failed on attempt 37

This gave me the indication of certificates present on Master server. I re-created the master key and it worked for me.

Caution: This was the only testing environments for me, dont play with it directly on production environments.

[root@YogeshRaheja init.d]# puppet cert clean "yogesh.puppet.com"
Notice: Revoked certificate with serial 11
Notice: Removing file Puppet::SSL::Certificate yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/ca/signed/yogesh.puppet.com.pem'
Notice: Removing file Puppet::SSL::Certificate yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/certs/yogesh.puppet.com.pem'
Notice: Removing file Puppet::SSL::CertificateRequest yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/certificate_requests/yogesh.puppet.com.pem'
Notice: Removing file Puppet::SSL::Key yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/private_keys/yogesh.puppet.com.pem'


[root@YogeshRaheja init.d]# puppet cert generate yogesh.puppet.com
Notice: yogesh.puppet.com has a waiting certificate request
Notice: Signed certificate request for yogesh.puppet.com
Notice: Removing file Puppet::SSL::CertificateRequest yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/ca/requests/yogesh.puppet.com.pem'
Notice: Removing file Puppet::SSL::CertificateRequest yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/certificate_requests/yogesh.puppet.com.pem'


[root@YogeshRaheja init.d]# ./pe-puppetserver start
Starting pe-puppetserver:                                  [  OK  ]
[root@YogeshRaheja init.d]#
[root@YogeshRaheja init.d]#
[root@YogeshRaheja init.d]# netstat -an | grep -i listen
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:5432                0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 :::4433                     :::*                        LISTEN
tcp        0      0 :::8081                     :::*                        LISTEN
tcp        0      0 :::22                       :::*                        LISTEN
tcp        0      0 ::1:631                     :::*                        LISTEN
tcp        0      0 :::5432                     :::*                        LISTEN
tcp        0      0 ::1:25                      :::*                        LISTEN
tcp        0      0 :::42632                    :::*                        LISTEN
tcp        0      0 :::8140                     :::*                        LISTEN
tcp        0      0 :::61613                    :::*                        LISTEN

and it resolved the client connection issue.

BE77Y
  • 2,667
  • 3
  • 18
  • 23
Yogesh Raheja
  • 1