Puppet agent fail to connect to master

Question

I'm struggling since 2 days with signing of Puppet-Agents now. The Problem is as follows:

On the master I delete all existing signatures with

puppet cert clean esx-poc-1.xxx.de

On the agent I delete the whole ssl directory with

rm -rf /var/lib/puppet/ssl/

After running one of the following commands on the agent...

puppet certificate generate esx-poc-1.xxx.de --ca-location remote puppet agent --server puppetmaster.int.xxx.com --waitforcert 60 --test

...I can list the certificates on the master with:

puppet cert list --all

The output is:

"esx-poc-1.xxx.de" (SHA256) 71:72:D8:3E:09:9E:B1:5C:DA:78:A8:B8:A1:2B:E4:09:B8:00:8A:AF:49:02:CC:B2:B5:C3:25:79:59:0D:A8:F5 + "puppetmaster.int.xxx.com" (SHA256) 7B:00:8C:4F:CE:B2:0D:2F:A1:BB:A7:C4:25:B0:11:01:2B:EC:90:46:D1:CB:BE:AA:AD:3F:B4:70:0C:83:3F:78 (alt names: "DNS:puppet", "DNS:puppet.xxx.de", "DNS:puppetmaster.int.xxx.com")

After signing the agent with:

puppet cert sign esx-poc-1.xxx.de

The fingerprint differs from the one above:

• "esx-poc-1.xxx.de" (SHA256) 49:F6:59:FD:3C:28:C6:54:7F:6E:A7:56:56:DB:64:9A:E2:08:10:90:11:83:7A:A6:0E:E1:CD:39:F0:E0:1C:25

Is that correct?

Performing an agent-run aferwards results in the following error:

Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 400 on SERVER: Could not retrieve facts for esx-poc-1.xxx.de: Failed to submit 'replace facts' command for esx-poc-1.xxx.de to PuppetDB at puppetmaster.int.xxx.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=puppetmaster.int.xxx.com] Info: Retrieving plugin Info: Loading facts in /var/lib/puppet/lib/facter/last_run.rb Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/puppi_projects.rb Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb Info: Loading facts in /var/lib/puppet/lib/facter/iptables.rb Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for esx-poc-1.xxx.de to PuppetDB at puppetmaster.int.xxx.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=puppetmaster.int.xxx.com] Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run

Thx for any help!

Answer 1

Ran into this exact same issue myself. The problem ended up being that the puppetdb-terminus package was at version 1.1.0 while puppetdb itself was still at 1.0.5.

After downgrading puppetdb-terminus down to 1.0.5 everything operated normally.

Answer 2

In puppet 3.4 I noticed that if the hostnames are not set this error could be thrown.

For example; I had two debian boxes; one was named debian1 and the other debian2 in the hosts file. But, both of their /etc/hostname settings where debian; after I changed their name with hostname and set their names in /etc/hostname they worked just fine.

Answer 3

This might be a dumb question, but, do you have a node definition for this machine? I.e.,

node 'esx-poc-1.xxx.de' {
    .....
}

Answer 4

I had this error after changing permission of files in /etc/puppet. Changing them back to 'pe-puppet' (for an enterprise version) solved it for me

Answer 5

After completely reinstalling puppetdb it's finally working...