Ask Your Question

"Failed to generate additional resources" error

asked 2013-06-18 15:29:41 -0600

derevan@cisco gravatar image

updated 2013-06-19 15:18:36 -0600

I have just installed Puppet Enterprise for the first time and trying to get an agent to connect to the master. Had a lot of issues getting the master to see the certificate request, but now I am past that and the cert has been signed. When I reran the agent (puppet agent --test), I get the following error. I have no clue as to what to look at next.(ciscopm1.tidalsoft.local is my puppet master, my agent is ciscopn1.tidalsoft.local).

info: Retrieving plugin err: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using 'eval ... (more)

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2013-06-20 00:40:38 -0600

updated 2013-06-20 00:41:09 -0600

it looks like the Puppet Enterprise agent considers the PE master's certificate to be revoked. This matches the advice that Ancillas gave, since ciscopm1 is the master. Executing puppet cert --clean ciscopm1.tidalsoft.local has the effect of cleaning (and revoking) the master certificate. Revoking the master certificate prevents all agents from connecting to the master and will return the error message you're seeing.

I've reproduced the error message on a machine I have here by revoking the master certificate. Here's what I recommend, all on the Puppet Enterprise master:

# Revoke the master certificate (again).
/opt ...
edit flag offensive delete link more


That did the trick. I missed the last part of Ancillas' comment regarding revoking the master's certificate; i still thought it was the agent certificate that was referred to ...(more)

derevan@cisco gravatar imagederevan@cisco ( 2013-06-20 08:00:02 -0600 )edit

answered 2013-06-18 21:52:53 -0600

Ancillas gravatar image

This error indicates that the cert on your master doesn't match the cert on your agent.

Did your DNS settings or hostname change after you ran Puppet?

On the master run puppet cert --list --all and paste your list of certs into your original question as an edit.

Compare the cert that was signed to the current agent's puppet.conf file config and make sure the agent is using a certname that matches what the master expects. If your puppet.conf changes, or you change the DNS/hostname settings on your server during your puppet run, that could ... (more)

edit flag offensive delete link more


I have followed all of the suggestions without success. The DNS names have not changed and the clocks are in sync.

derevan@cisco gravatar imagederevan@cisco ( 2013-06-18 23:09:02 -0600 )edit

If you ran "puppet cert --clean ciscopm1.tidalsoft.local", that refers to the master's certificate. Try "puppet cert --clean ciscopn1.tidalsoft.local" on the master, remove the ssl directory ...(more)

GregLarkin gravatar imageGregLarkin ( 2013-06-19 07:54:22 -0600 )edit

unfortunately, i inherited those host names :) actually, it was ciscopn1 that I cleaned up and re-signed and the fingerprints match on both master and agent.

derevan@cisco gravatar imagederevan@cisco ( 2013-06-19 08:33:43 -0600 )edit

Please post the puppet.conf file from your agent machine. Can you successfully do forward and reverse DNS lookups from each machine for the other?

GregLarkin gravatar imageGregLarkin ( 2013-06-19 08:42:48 -0600 )edit

Yes, I can ping back and forth by name without issue. Below is the puppet.conf file on my agent: [main] vardir = /var/opt/lib/pe-puppet logdir = /var/log/pe-puppet ...(more)

derevan@cisco gravatar imagederevan@cisco ( 2013-06-19 11:18:42 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2013-06-18 15:29:41 -0600

Seen: 21,334 times

Last updated: Jun 20 '13