'puppet agent -t'
70 views
Skip to first unread message
Matthias Steffens
Mar 26, 2019, 12:43:27 PM3/26/19
to Puppet Users
Hi!
- Configuration-File 'routes.yaml':
I'm trying to get a new certificate for my puppet agent and therefore I tried to do an 'puppet agent -t' an I got the following:
root@puppet-node:/etc/puppetlabs/puppet/ssl/certs# puppet agent -t
Exiting; no certificate found and waitforcert is disabled
Exiting; no certificate found and waitforcert is disabled
I didn't understand this, because I thought I'm doing an signing request with my 'puppet agent -t' !?
My Configuration looks like this:
Puppet-Master:
- Installed PuppetDB:
---> Configuration-File for puppetdb: /etc/puppetlabs/puppet/puppetdb.conf:
- Installed Puppetserver / Puppet:
---> Configuration-File for puppetdb: /etc/puppetlabs/puppet/puppet.conf:
[main]
server = puppet-master.local
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[master]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
storeconfigs = true
storeconfigs_backend = puppetdb
reports = store,puppetdb
[user]
http_proxy="http://proxy.<companyname>.de:8080"
HTTP_PROXY="http://proxy.<companyname>.de:8080"
https_proxy="http://proxy.<companyname>.de:8080"
server = puppet-master.local
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[master]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
storeconfigs = true
storeconfigs_backend = puppetdb
reports = store,puppetdb
[user]
http_proxy="http://proxy.<companyname>.de:8080"
HTTP_PROXY="http://proxy.<companyname>.de:8080"
https_proxy="http://proxy.<companyname>.de:8080"
- Configuration-File 'routes.yaml':
---
master:
facts:
terminus: puppetdb
cache: yaml
master:
facts:
terminus: puppetdb
cache: yaml
When I do an 'netstat -tulpn' I got the following:
root@puppet-master:/etc/puppetlabs/puppet# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 740/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 4282/postgres
tcp6 0 0 :::8140 :::* LISTEN 3653/java
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 3866/java
tcp6 0 0 :::8081 :::* LISTEN 3866/java
tcp6 0 0 :::22 :::* LISTEN 740/sshd
tcp6 0 0 ::1:5432 :::* LISTEN 4282/postgres
root@puppet-master:/etc/puppetlabs/puppet#
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 740/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 4282/postgres
tcp6 0 0 :::8140 :::* LISTEN 3653/java
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 3866/java
tcp6 0 0 :::8081 :::* LISTEN 3866/java
tcp6 0 0 :::22 :::* LISTEN 740/sshd
tcp6 0 0 ::1:5432 :::* LISTEN 4282/postgres
root@puppet-master:/etc/puppetlabs/puppet#
Can somone explain me why I've doent't get an Certificate on my Node?
Thanks for your help and reply,
Matthias
Gabriel Filion
Mar 26, 2019, 2:06:34 PM3/26/19
to puppet...@googlegroups.com
Hi there,
On 2019-03-26 12:40 p.m., Matthias Steffens wrote:
> I'm trying to get a new certificate for my puppet agent and therefore I
> tried to do an '*puppet agent -t*' an I got the following:
>
>
> *root@puppet-node:/etc/puppetlabs/puppet/ssl/certs# puppet agent -tExiting;
> no certificate found and waitforcert is disabled*
When your agent didn't create a cert yet, you need to specify an
additional option that'll create the cert and wait for the master to
sign the certificate signing request:
puppet agent -t --waitforcert 10
the integer value to the argument is the number of seconds to wait for
each iteration (I think the number of iterations made before exiting is
limited).
for me 10s is usually a good value, but you can play with this to find
something that gives you the appropriate time to sign certs on the
master (e.g. you probably do want to verify that the client's
certificate fingerprint is what the puppetmaster knows).
On 2019-03-26 12:40 p.m., Matthias Steffens wrote:
> I'm trying to get a new certificate for my puppet agent and therefore I
>
>
> *root@puppet-node:/etc/puppetlabs/puppet/ssl/certs# puppet agent -tExiting;
> no certificate found and waitforcert is disabled*
When your agent didn't create a cert yet, you need to specify an
additional option that'll create the cert and wait for the master to
sign the certificate signing request:
puppet agent -t --waitforcert 10
the integer value to the argument is the number of seconds to wait for
each iteration (I think the number of iterations made before exiting is
limited).
for me 10s is usually a good value, but you can play with this to find
something that gives you the appropriate time to sign certs on the
master (e.g. you probably do want to verify that the client's
certificate fingerprint is what the puppetmaster knows).
Martin Alfke
Mar 26, 2019, 3:16:35 PM3/26/19
to puppet...@googlegroups.com, Puppet Users
Hi Matthias,
On Mar 26 2019, at 5:40 pm, Matthias Steffens <matthia...@gmail.com> wrote:
Hi!I'm trying to get a new certificate for my puppet agent and therefore I tried to do an 'puppet agent -t' an I got the following:root@puppet-node:/etc/puppetlabs/puppet/ssl/certs# puppet agent -tExiting; no certificate found and waitforcert is disabled
This message indicates, that the agent has created a certificate, has sent the CSR to the master and is now waiting for the master to sign the certificate.
Log in to your puppetmaster.
Check puppet and puppetserver version.
puppetserver --version
puppet --version
If you are running puppetserver 6:
puppetserver ca list
This should show you an waiting singing request.
sign with
puppetserver ca sign <certname>
Usualy the certname is the fqdn of the agent.
If you run puppet 5: please upgrade.
I added a comment below covering your puppet.conf regarding reports configuration:
please don't use two locations to store reports.
puppetdb is the modern place where to store them.
Use a webfrontend to visualize the reports (Puppet Enterprise, The Foreman, Puppet Board).
store places reports into file system. Usually this is only growing and never cleaned up!
[...]
Matthias
hth,
Martin
Matthias Steffens
Mar 28, 2019, 6:04:32 AM3/28/19
to Puppet Users
When your agent didn't create a cert yet, you need to specify an
additional option that'll create the cert and wait for the master to
sign the certificate signing request:
puppet agent -t --waitforcert 10
the integer value to the argument is the number of seconds to wait for
each iteration (I think the number of iterations made before exiting is
limited).
for me 10s is usually a good value, but you can play with this to find
something that gives you the appropriate time to sign certs on the
master (e.g. you probably do want to verify that the client's
certificate fingerprint is what the puppetmaster knows).
I've tried this but it doesn't work for me :(... Therefore I switched back to an old Snapshot of my VM and know
my 'puppet agent -t' works fine.
But now my 'puppet agent -t' responds the following:
root@puppet-node:~# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for puppet-node.local: Failed to find facts from PuppetDB at puppet-master.local:8140: Failed to execute '/pdb/query/v4/nodes/puppet-node.local/facts' on at least 1 of the following 'server_urls': https://192.168.117.20:8081
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed to execute '/pdb/cmd/v1?checksum=fbe20bc4a742836d2b0c0951e875e3b9ec7011bd&version=5&certname=puppet-node.local&command=replace_facts&producer-timestamp=2019-03-28T09:42:35.432Z' on at least 1 of the following 'server_urls': https://192.168.117.20:8081
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
root@puppet-node:~#
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for puppet-node.local: Failed to find facts from PuppetDB at puppet-master.local:8140: Failed to execute '/pdb/query/v4/nodes/puppet-node.local/facts' on at least 1 of the following 'server_urls': https://192.168.117.20:8081
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed to execute '/pdb/cmd/v1?checksum=fbe20bc4a742836d2b0c0951e875e3b9ec7011bd&version=5&certname=puppet-node.local&command=replace_facts&producer-timestamp=2019-03-28T09:42:35.432Z' on at least 1 of the following 'server_urls': https://192.168.117.20:8081
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
root@puppet-node:~#
What means the Output "Could not retrieve facts for puppet-node.local: Failed to find facts from PuppetDB at puppet-master.local:8140"?
Matthias Steffens
Mar 28, 2019, 6:17:51 AM3/28/19
to Puppet Users
This message indicates, that the agent has created a certificate, has sent the CSR to the master and is now waiting for the master to sign the certificate.Log in to your puppetmaster.Check puppet and puppetserver version.puppetserver --versionpuppet --versionIf you are running puppetserver 6:puppetserver ca listThis should show you an waiting singing request.sign withpuppetserver ca sign <certname>Usualy the certname is the fqdn of the agent.If you run puppet 5: please upgrade.
I've the following versions installed:
root@puppet-master:~# puppetserver --version
puppetserver version: 6.3.0
root@puppet-master:~# puppet --version
6.4.0
root@puppet-master:~#
puppetserver version: 6.3.0
root@puppet-master:~# puppet --version
6.4.0
root@puppet-master:~#
I changed it to the follwing in my puppet.conf:
[master]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
storeconfigs = true
storeconfigs_backend = puppetdb
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
storeconfigs = true
storeconfigs_backend = puppetdb
reports = puppetdb
Use a webfrontend to visualize the reports (Puppet Enterprise, The Foreman, Puppet Board).store places reports into file system. Usually this is only growing and never cleaned up![...]
When I've now installed my puppetserver and an running puppetd (it looks to me like it's gonna work or am I wrong?) can I nowly install Foreman for example?
Reply all
Reply to author
Forward
0 new messages