https://www.puppet.com/community logo
Join Slack
Powered by
# puppet
  • h
    Puppet client config is in /etc/puppetlabs/puppet/puppet.conf
  • w
    I've set the certname in puppet.conf in the main and server sections of the master. certname = vmpuppetmaster01.britanniahome.net
  • w
    Copy code
    [main]
certname = <http://vmpuppetmaster01.britanniahome.net|vmpuppetmaster01.britanniahome.net>
server = <http://vmpuppetmaster01.britanniahome.net|vmpuppetmaster01.britanniahome.net>

[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
certname = <http://vmpuppetmaster01.britanniahome.net|vmpuppetmaster01.britanniahome.net>

[master]
storeconfigs = true
storeconfigs_backend = puppetdb
  • w
    I've set the certname in puppet.conf in the main and server sections of the master. certname = vmpuppetmaster01.britanniahome.net
  • h
    you can ping vmpuppetmaster01.brianniahome.net successfully?
  • w
    Would having installed the puppetdb role done something screwy with the cert under default config?
  • w
    yes,
  • w
    it resolves and pings correctly on the master and nodes I've tried to manage
  • h
    are you running the agent as root?
  • w
    yes
  • w
    the part that stands out is the "/CN=puppet"
  • w
    the part that stands out is the "/CN=puppet"
  • b
    the common name or the SAN entry need to match the fqdn of the puppetserver
  • s
    This message was deleted.
    r
    g
    • 3
    • 3
  • w
    How can I force that for the cert?
  • b
    or: the server that you speficy needs to be in the certificate if that server
  • h
    it's when you generate the cert for the puppet server
  • w
    hmm, I had specified the fqdn when I ran
    Copy code
    puppetserver ca setup
    Could the puppetdb package have overriden that somehow?
  • w
    hmm, I had specified the fqdn when I ran
    Copy code
    puppetserver ca setup
    Could the puppetdb package have overriden that somehow?
  • b
    usually not
  • b
    but who knows :D you can check the timestamps of the cert/priv key on the server
  • b
    did it ever work?
  • w
    I had not attempted to connect other systems before now.
  • b
    okay
  • b
    you can go throw https://puppet.com/docs/puppet/7/ssl_regenerate_certificates.html and regenerate all the certs
  • w
    alrighty, doing that now
  • w
    same behaviour
  • w
    Copy code
    Info: Creating a new SSL key for vmipam01.britanniahome.local
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
Info: Caching certificate for ca
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for vmipam01.britanniahome.local
Info: Certificate Request fingerprint (SHA256): 96:CF:C0:86:05:D2:AA:69:DC:97:94:C5:E0:B7:A9:07:83:0F:8E:7C:1B:83:19:5F:C7:47:59:7C:99:56:8A:87
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
Info: Caching certificate for ca
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
Exiting; no certificate found and waitforcert is disabled
root@vmipam01:/var/lib/puppet# puppet agent -t
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:315: warning: deprecated Object#=~ is called on Puppet::Transaction::Report; it always returns nil
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
Info: Caching certificate for vmipam01.britanniahome.local
/usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is obsolete
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: <http://vmpuppetmaster01.britanniahome.net|vmpuppetmaster01.britanniahome.net>]
Exiting; failed to retrieve certificate and w
  • w
    Where is the puppetmaster likely picking up that /CN=Puppet from?
  • w
    , /etc/puppetlabs/puppet/puppet.conf
    Copy code
    # - <https://puppet.com/docs/puppet/latest/config_file_main.html>
# - <https://puppet.com/docs/puppet/latest/configuration.html>
[main]
certname = <http://vmpuppetmaster01.britanniahome.net|vmpuppetmaster01.britanniahome.net>
server = <http://vmpuppetmaster01.britanniahome.net|vmpuppetmaster01.britanniahome.net>

[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
certname = <http://vmpuppetmaster01.britanniahome.net|vmpuppetmaster01.britanniahome.net>

[master]
storeconfigs = true
storeconfigs_backend = puppetdb
1...181182183...428Latest