0

I'm not able to make a puppet node join a master, i'm using puppet enterprise on AWS cloud.

Master

puppetserver --version
puppetserver version: 2017.3.0.38

Node

# puppet agent --test
Error: Could not request certificate: Error 403 on SERVER: Forbidden request: /puppet-ca/v1/certificate/ca (method :get). Please see the server logs for details.
Exiting; failed to retrieve certificate and waitforcert is disabled

obviously error message is related to permission on master side, when i check the log on the master i see 

ERROR [qtp2147089302-255] [p.t.a.rules] Forbidden request: 10.0.10.224 access to /puppet-ca/v1/certificate/ca (method :get) (authenticated: false) denied by rule 'puppetlabs certificate'.

but i checked that the new HOCON format for auth.conf is allowing un authenticated node to send CSR

{
            "allow-unauthenticated": "*",
            "match-request": {
                "method": "get",
                "path": "/puppet-ca/v1/certificate/",
                "query-params": {},
                "type": "path"
            },
            "name": "puppetlabs certificate",
            "sort-order": 500
        }

i checked also that pe-puppet-server.conf is not using the legacy auth.conf method

# (optional) Authorize access to Puppet master endpoints via rules specified
# in the legacy Puppet auth.conf file (if true or not specified) or via rules
# specified in the Puppet Server HOCON-formatted auth.conf (if false).
use-legacy-auth-conf: false
max-active-instances: 2
max-requests-per-instance: 0
environment-class-cache-enabled: true

please advise, the same error msg occurs on both windows and linux

client eastwood
  • 103
  • 2
  • 8

3 Answers3

0

i did reboot the entire server(ec2 instance) since reloading puppetserver didn't help ... i also did the auth change from the console, as structed here

windows Puppet agent does not connect to the awsopsworks puppet Enterprise master

client eastwood
  • 103
  • 2
  • 8
0

I had a similar issue when trying to setup my puppet nodes, but was using Vagrant instead of AWS.

The fix was to unset the following environment variables: http_proxy, https_proxy, HTTP_PROXY and HTTPS_PROXY.

Partiban
  • 136
  • 3
  • 9
0

My fix was to remove server_list from puppet.conf, cleanup CM cert and re-generate cert. In my case I have autosign=true so the process was:

  1. Stop PE on CM:
systemctl stop puppet pxp-agent pe-puppetserver pe-puppetdb
  1. Remove ssl dir
rm -fr /etc/puppetlabs/puppet/ssl
  1. Cleanup cert from Primary:
puppetserver ca clean --certname='<CM>'
  1. Run puppet agent on CM
puppet agent -t

Done.

azbarcea
  • 3,323
  • 1
  • 20
  • 25