puppet master not seeing certificate signing request from agent

[Matt Zagrabelny]

Greetings,

I'm running puppet 5.5.6 (Debian testing).

I'm having issues getting the master to see the cert signing request from an agent.

The firewall isn't an issue. I see the packets hit an "allow" rule on the master, but I've also turned the firewall off.

tcpdump shows the packets reaching the server:

2018-10-31 11:03:19.705234 IP6 2607::2a.46390 > 2607::20.8140: tcp 0

2018-10-31 11:03:35.833194 IP6 2607::2a.46390 > 2607::20.8140: tcp 0

2018-10-31 11:04:08.345204 IP6 2607::2a.46390 > 2607::20.8140: tcp 0

2607::2a = agent

2607::20 = master

I'm not seeing anything from the server:

# puppet master --no-daemonize

Warning: Accessing 'ca' as a setting is deprecated.

   (location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1165:in `issue_deprecation_warning')

Warning: The WEBrick Puppet master server is deprecated and will be removed in a future release. Please use Puppet Server instead. See http://links.puppet.com/deprecate-rack-webrick-servers for more information.

   (location: /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main')

Notice: Starting Puppet master version 5.5.6

Adding --debug or --verbose didn't seem to yield any extra log messages after the "Starting Puppet master..." for when I expected a cert signing request message.

and the agent just shows an expiration:

# puppet agent -t --server puppet-5-5

Warning: Setting cadir is deprecated. 

   (location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in `issue_deprecation_warning')

Error: Could not request certificate: execution expired

Exiting; failed to retrieve certificate and waitforcert is disabled

Any ideas where to look next?

Thanks!

-m

[Matt Zagrabelny]

No new updates, but I wanted to add that lsof reports puppet listening:

puppet    25053          puppet    8u  IPv4 125393      0t0  TCP *:8140 (LISTEN)

puppet    25053          puppet    9u  IPv6 125394      0t0  TCP *:8140 (LISTEN)

and I'm not seeing anything in the master log file:

[2018-10-31 16:05:35] DEBUG Puppet::Network::HTTP::WEBrickREST is mounted on /.

[2018-10-31 16:05:35] INFO  WEBrick::HTTPServer#start: pid=25053 port=8140

Confused...

-m

[Justin Stoller]

What happens on the agent that is running on the master?

When running any agent here's a flag, `--http_debug` I think, that will show you exactly what Puppet's requesting.

Seeing the output from curling the CA endpoints from the agent in question might be helpful (both from curl's side and the master's).

See: https://puppet.com/docs/puppet/5.5/http_api/http_certificate_request.html and the related CA endpoints. You should be able to do a GET on certificate/ca and certificate_revocation_list/ca

The agent's timing out doing something, running with  --trace might help with that.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XYkCM7c3CfB2_CuSGAZ9RFy_4Lk--Xqqc7WEM69z4oTA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Matt Zagrabelny]

Hey Justin,

Thanks for the reply!

On Wed, Oct 31, 2018 at 10:49 PM Justin Stoller <jus...@puppet.com> wrote:

What happens on the agent that is running on the master?

Works as expected. Thus indicting the firewall.

Digging deeper... it looks like Debian testing bit me. But I don't blame them - I know I'm tracking a moving target.

iptables upgraded from 1.6 to 1.8 (and I didn't reboot after). There are new semantics (iptables-legacy) and the firewall was still blocking 8140 in the legacy mode. I've rebooted and cleared the legacy chains/tables.

Things work as expected now.

Thanks for the help and hints. It is very appreciated!

-m