Could not request certificate: Connection refused - request https://centos:8140//puppet-ca/v1/certificate/ca failed: Failed to open TCP connection to centos:8140 (Connection refused - connect(2) for "centos" port 8140)

[Zhang Zhao]

Hi, 

I am new to Puppet. Trying to set up a test environment. But the agent could not request a certificate as connection refused. I made sure that puppet server was running and service was enabled. Anyone can let me know where was wrong? Thanks.

Zhang

On PuppetMaster, 

[root@puppetmaster ~]# puppet resource service puppetserver ensure=running enable=true

service { 'puppetserver':

  ensure => 'running',

  enable => 'true',

}

[root@puppetmaster ~]# netstat -ntlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd           

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2469/sshd           

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2694/master         

tcp6       0      0 :::8140                 :::*                    LISTEN      27805/java          

tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd           

tcp6       0      0 :::22                   :::*                    LISTEN      2469/sshd           

tcp6       0      0 ::1:25                  :::*                    LISTEN      2694/master

[root@puppetmaster ~]# puppet cert list --all

Warning: `puppet cert` is deprecated and will be removed in a future release.

   (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run')

+ "puppetmaster.attlocal.net" (SHA256) 10:A5:A4:7D:9E:10:D1:14:C3:92:D2:CE:B4:7E:78:C5:C4:26:56:DA:0D:7B:4E:0B:D5:58:B4:1E:43:03:F4:9E (alt names: "DNS:puppet", "DNS:puppetmaster.attlocal.net")

[Martin Alfke]

Hi,

On 22. Aug 2019, at 08:02, Zhang Zhao <zhang.a...@gmail.com> wrote:

Hi, 

I am new to Puppet. Trying to set up a test environment. But the agent could not request a certificate as connection refused. I made sure that puppet server was running and service was enabled. Anyone can let me know where was wrong? Thanks.

Is there a local firewall (iptables) running on the master?

You can temporarily flush the rules:

sudo iptables -F

If a local firewall is running, you want to open port 8140/tcp for incoming connections.

Best,

Martin

Zhang

On PuppetMaster, 

[root@puppetmaster ~]# puppet resource service puppetserver ensure=running enable=true

service { 'puppetserver':

  ensure => 'running',

  enable => 'true',

}

[root@puppetmaster ~]# netstat -ntlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd           

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2469/sshd           

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2694/master         

tcp6       0      0 :::8140                 :::*                    LISTEN      27805/java          

tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd           

tcp6       0      0 :::22                   :::*                    LISTEN      2469/sshd           

tcp6       0      0 ::1:25                  :::*                    LISTEN      2694/master

[root@puppetmaster ~]# puppet cert list --all

Warning: `puppet cert` is deprecated and will be removed in a future release.

   (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run')

+ "puppetmaster.attlocal.net" (SHA256) 10:A5:A4:7D:9E:10:D1:14:C3:92:D2:CE:B4:7E:78:C5:C4:26:56:DA:0D:7B:4E:0B:D5:58:B4:1E:43:03:F4:9E (alt names: "DNS:puppet", "DNS:puppetmaster.attlocal.net")

-- 
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/688ccd6f-00a8-4f28-9683-d7a4424bacf3%40googlegroups.com.

[Zhang Zhao]

Hi Martin,

Thank you for your reply.. The firewall was disabled before I started puppet… I was using VirtualBox to create the environment. One server acts as puppet master and the other acts as agent. Still getting same error…. Any idea what else steps I was missing for configuration?

[root@puppetmaster ~]# systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)

   Active: inactive (dead)

     Docs: man:firewalld(1)

[root@centos ~]# puppet agent --test

Error: Could not request certificate: Connection refused - request https://puppet:8140//puppet-ca/v1/certificate/ca failed: Failed to open TCP connection to puppet:8140 (Connection refused - connect(2) for "puppet" port 8140)

Exiting; failed to retrieve certificate and waitforcert is disabled

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5A7FEB43-1979-4A35-BF22-595752604F6D%40gmail.com.

[Martin Alfke]

Hi Zhang,

> On 23. Aug 2019, at 09:36, Zhang Zhao <zhang.a...@gmail.com> wrote:
>
> Hi Martin,
> Thank you for your reply.. The firewall was disabled before I started puppet… I was using VirtualBox to create the environment. One server acts as puppet master and the other acts as agent. Still getting same error…. Any idea what else steps I was missing for configuration?

How did you do the Virtualbox network setup?
Do you use bridge interfaces?
Have the two systems a shared internal network?

Can the agent resolve the master hostname (puppet)?
Is puppet really the hostname of the master VM?

Can the agent ping the master (ping -c1 puppet)?

DNS (via Server like bind or via /etc/hosts entries) and NTP are two requirements for a working Puppet environment.

Best,
Martin

> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4DF87865-B16D-4F63-AEFF-359F1D53557E%40gmail.com.

[Zhang Zhao]

Hi Martin,

This is the Vagrantfile below..  I didn’t DNS and NTP..It’s just a very simple testing environment.  And puppet master and agent are able to ping each other. 

Zhangs-MBP:VBox alex$ cat Vagrantfile 

# -*- mode: ruby -*-

# vi: set ft=ruby :

# All Vagrant configuration is done below. The "2" in Vagrant.configure

# configures the configuration version (we support older styles for

# backwards compatibility). Please don't change it unless you know what

# you're doing.

Vagrant.configure("2") do |config|

  config.vm.provider "virtualbox" do |v|

    v.memory = 2048

    v.cpus = 2

  end

  config.vm.define "puppetmaster" do |pm|

    pm.vm.box = "centos/7"

    pm.vm.network "private_network", ip: "192.168.2.10"

    pm.vm.hostname = "puppetmaster"

  end

  config.vm.define "agent-centos" do |c|

    c.vm.box = "centos/7"

    c.vm.network "private_network", ip: "192.168.2.11"

    c.vm.hostname = "centos"

  end

end

Zhang

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/01AABC8A-874A-4606-AE70-199C6BAB5550%40gmail.com.

[Martin Alfke]

What is the hostname of the master?

puppet or puppetmaster?

You must configure the agent if the hostname of the master is not “puppet”.

You can do so by running the following command on the agent:

puppet config set —section agent master <puppetmaster fqdn>

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/DD22CE32-FBDF-404C-8820-17E01F3E5D89%40gmail.com.

[jcbollinger]

On Thursday, August 22, 2019 at 1:13:59 AM UTC-5, Zhang Zhao wrote:

Hi, 

I am new to Puppet. Trying to set up a test environment. But the agent could not request a certificate as connection refused. I made sure that puppet server was running and service was enabled. Anyone can let me know where was wrong? Thanks.

A "connection refused" message such as that describes a general networking error, not specific to Puppet.  It should be taken to indicate that the local machine successfully resolved a remote address to attempt a connection to, but its connection attempt was actively rejected.  Such a rejection almost always means one of two things:

• there is no service currently accepting connections on the target port on the remote machine, or
• a firewall, proxy, or other component in the network path between the two endpoints actively interceded to block the connection.

You seem to have established that the puppetserver service is running on its machine, and for the moment it is reasonable to suppose that it is running on its normal port.  You claim that "the" firewall was disabled prior to starting Puppet, but do note that there may be multiple firewalls to contend with:

• on the Puppet master (I suppose this is the one you turned off),
• on the Puppet client (this one is probably not the issue, but don't overlook it), and
• on devices in between, which in your particular configuration could very well include the VM host.

It is not safe to neglect the last of those possibilities, as I can attest from personal experience.

But before delving too deeply into such issues, however, do start with the basics.  Can you confirm that the name the client is using for the master resolves for it to the correct address of the master?  If so, then can the client communicate with the master at all (via ping, for example)?

John

[Zhang Zhao]

Hi Martin,

I was sure that the hostname of the master was puppet. But still got the same error when I ran puppet agent —test on the agent side.  Any idea where else I need to check?

[root@puppet ~]# hostname

puppet

[root@puppet ~]# cat /etc/hosts

127.0.0.1 puppet puppet

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.2.10 puppet puppetmaster.local

[root@centos ~]# puppet agent --test --server puppetmaster.local --noop

Error: Could not request certificate: request https://puppetmaster.local:8140//puppet-ca/v1/certificate/ca failed: Failed to open TCP connection to puppetmaster.local:8140 (getaddrinfo: Name or service not known)

Exiting; failed to retrieve certificate and waitforcert is disabled

Zhang

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7B7B81F0-7369-4E82-BD64-2986426870DF%40gmail.com.

[Zhang Zhao]

Hi Martin,

Finally made it work.. Had to add the ip, hostname and alias on /etc/hosts on both master and client servers.. Didn’t add master’s info on client server.. When I tried ping, I only tested to ping ip and it worked, but didn’t ping by hostname..  Anyway, thanks for your advice. 

Zhang

Zhang