Can't send certificate request

2,096 views
Skip to first unread message

Mike

unread,
Mar 13, 2012, 10:04:15 AM3/13/12
to puppet...@googlegroups.com
I can't get a new client working with my puppet master. When I try to run 'puppet agent --test' on the client, I get

err: Could not request certificate: Connection refused - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled

I can't telnet from the client to the server on port 8140. There are no firewalls between the 2 servers. I've turned off iptables and ip6tables on both servers. The times are sync'd. Both servers can ping each other by IP address and hostname.

Doing a netstat -an on the puppet master server shows that it is not listening on port 8140. Yet, I have verified that pe-puppet is running.

Any suggestions?

Bernd Adamowicz

unread,
Mar 13, 2012, 10:53:37 AM3/13/12
to puppet...@googlegroups.com

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/WEyyqRVvbgsJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Bernd Adamowicz

unread,
Mar 13, 2012, 10:54:59 AM3/13/12
to puppet...@googlegroups.com

Try

 

puppet agent --verbose --debug --server your.server --environment your_env --waitforcert 60 --no-daemonize

 

Bernd

Mike

unread,
Mar 13, 2012, 11:46:16 AM3/13/12
to puppet...@googlegroups.com
I tried that command as you suggested. As far as I can tell, it didn't give me much useful information. Here is what it had:

debug: Failed to load library 'selinux' for feature 'selinux'
debug: Puppet::Type::User::ProviderLdap: true value when expecting false
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist
debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: /File[/etc/puppetlabs/puppet/ssl]: Autorequiring File[/etc/puppetlabs/puppet]
debug: /File[/var/opt/lib/pe-puppet/lib]: Autorequiring File[/var/opt/lib/pe-puppet]

It then continued to autorequire a bunch of ssl files - basically the entire directory structure of /etc/puppetlabs/puppet/ssl as well as all the pem files.

In /var/log/messages, I see this on both the puppet master server and the client:

Mar 13 10:42:38 puppet-master puppet-agent[4729]: Could not request certificate: Connection refused - connect(2)

"puppet-master" is the hostname of my puppet server. However, "puppet-agent" is NOT the name of the client trying to request a certificate. That is the name of an old test box that worked successfully. Is that just a generic name that puppet uses, or is it trying to use an old config/cert?



On Tuesday, March 13, 2012 9:54:59 AM UTC-5, badamowicz wrote:

Try

 

puppet agent --verbose --debug --server your.server --environment your_env --waitforcert 60 --no-daemonize

 

Bernd

 

Betreff: AW: [Puppet Users] Can't send certificate request

Von: puppet...@googlegroups.com [mailto:puppet-users@googlegroups.com] Im Auftrag von Mike
Gesendet: Dienstag, 13. März 2012 15:04
An: puppet...@googlegroups.com
Betreff: [Puppet Users] Can't send certificate request

 

I can't get a new client working with my puppet master. When I try to run 'puppet agent --test' on the client, I get

err: Could not request certificate: Connection refused - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled

I can't telnet from the client to the server on port 8140. There are no firewalls between the 2 servers. I've turned off iptables and ip6tables on both servers. The times are sync'd. Both servers can ping each other by IP address and hostname.

Doing a netstat -an on the puppet master server shows that it is not listening on port 8140. Yet, I have verified that pe-puppet is running.

Any suggestions?

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/WEyyqRVvbgsJ.
To post to this group, send email to puppet...@googlegroups.com.

To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.


For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.

To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.

Mike

unread,
Mar 13, 2012, 12:05:07 PM3/13/12
to puppet...@googlegroups.com
I think I've found the solution. I'm not sure what the original root issue was, but at some point during the troubleshooting process, I cleared out the certs on the puppet master server. This was preventing pe-httpd from starting. Once I restored the certs, pe-httpd could start, and everything worked.

Nan Liu

unread,
Mar 13, 2012, 12:15:42 PM3/13/12
to puppet...@googlegroups.com

Is pe-httpd running? Apache should be listening on 8140.

Nan

Reply all
Reply to author
Forward
0 new messages