Ask Your Question
0

New PE install; agent fails "Error: Could not request certificate:"

asked 2015-11-02 14:26:08 -0500

SteveK gravatar image

updated 2015-11-03 14:55:18 -0500

Hello,

The master is CentOS. The agent is Windows 8.1. On the master, # puppet agent --test --noop produces "normal" results (final line is "Info: Applying configuration version '###'").

On the Windows 8.1 agent, however, I'm met with:

puppet agent --test --noop Error: Could not request certificate: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. - connect(2) for "puppet.xxxxxx.xxxxxxx.com" port 8140 Exiting; failed to retrieve certificate and waitforcert is disabled

The version of the agent on the Windows machine is the same as on the CentOS machine (i.e., 4.2.2).

Can you suggest possible ways to solve this problem or suggest a way to further troubleshoot it?

Thanks in advance.

In response to GregLarkin and masterdam's suggestions, Thank you. The problem is still not resolved though. The agent does not have Telnet installed, but I was able to RemoteDeskTop to the master from the agent. Firewall rules were pretty open on the agent, but I added explicit rules for port 8140 anyway. On the master, iptables is new to me, but I found some info online and added Chain INPUT and OUTPUT rules ACCEPT tcp -- anywhere anywhere tcp dpt:8140

So, either I'm not setting up the firewall rules correctly or I need to explore other possible solutions. BTW. Prior to my install of PE, I did have the agent working with the Open Source version of Puppet. Well, I never really used it beyond testing its connection with a Fedora master. I uninstalled the Open Source agent prior to the PE install.

edit retag flag offensive close merge delete

Comments

If it's OK in your environment, try running "service iptables stop" on your Puppet master to turn off the firewall altogether. Does that fix the problem? If not, go ahead and start it back up with "service iptables start".

GregLarkin gravatar imageGregLarkin ( 2015-11-03 16:30:38 -0500 )edit

Here's what I (as root) get: % service iptables stop Redirecting to /bin/systemctl stop iptables.service Failed to issue method call: Unit iptables.service not loaded % systemctl | grep -i iptable % systemctl list-unit-files | grep -i iptable It looks like systemctl does not know about iptable

SteveK gravatar imageSteveK ( 2015-11-04 08:41:53 -0500 )edit

Ok, didn't realize you were running on CentOS 7. Try "systemctl stop firewalld" and "systemctl start firewalld" instead.

GregLarkin gravatar imageGregLarkin ( 2015-11-04 10:40:23 -0500 )edit

After "stop firewalld" on the master, the agent's 'puppet agent --test --noop' looks much more positive (I.e., Info: Caching certificate for ca, etc...). I shouldn't be flying with me shields down though.

SteveK gravatar imageSteveK ( 2015-11-04 12:47:50 -0500 )edit

Ok, so you'll need to open port 8140 on the Puppet master to allow incoming connections from Puppet agents.

GregLarkin gravatar imageGregLarkin ( 2015-11-04 13:00:38 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
1

answered 2015-11-02 20:06:10 -0500

GregLarkin gravatar image

updated 2015-11-04 13:03:51 -0500

This looks like a firewall issue. Can you confirm that the Windows machine is not blocking outbound connections on port 8140? Also check the check the CentOS machine and make sure the iptables (if enabled) allows connections to port 8140.

Please check this page for all of the firewall requirements to set up your Puppet master: https://docs.puppetlabs.com/pe/latest/installsystemrequirements.html#firewall-configuration

edit flag offensive delete link more
1

answered 2015-11-02 15:36:29 -0500

masterdam79 gravatar image

It seems that the agent can't reach the master. Checks that I would do in this case are ping from agent to master, telnet from agent to master, see if there are any firewall rules blocking your request on server (incoming) as well as agent (outgoing).

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-11-02 14:26:08 -0500

Seen: 656 times

Last updated: Nov 04 '15