New PE install; agent fails "Error: Could not request certificate:"

install

asked 2015-11-02 14:26:08 -0600

SteveK
23 ●3 ●5 ●9

updated 2015-11-03 14:55:18 -0600

Hello,

The master is CentOS. The agent is Windows 8.1. On the master, # puppet agent --test --noop produces "normal" results (final line is "Info: Applying configuration version '###'").

On the Windows 8.1 agent, however, I'm met with:

puppet agent --test --noop Error: Could not request certificate: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. - connect(2) for "puppet.xxxxxx.xxxxxxx.com" port 8140 Exiting; failed to retrieve certificate and waitforcert is disabled

The version of the agent on the Windows machine is the same as on the CentOS machine (i.e., 4.2.2).

Can you suggest possible ways to solve this problem or suggest a way to further troubleshoot it?

Thanks in advance.

In response to GregLarkin and masterdam's suggestions, Thank you. The problem is still not resolved though. The agent does not have Telnet installed, but I was able to RemoteDeskTop to the master from the agent. Firewall rules were pretty open on the agent, but I added explicit rules for port 8140 anyway. On the master, iptables is new to me, but I found some info online and added Chain INPUT and OUTPUT rules ACCEPT tcp -- anywhere anywhere tcp dpt:8140

So, either I'm not setting up the firewall rules correctly or I need to explore other possible solutions. BTW. Prior to my install of PE, I did have the agent working with the Open Source version of Puppet. Well, I never really used it beyond testing its connection with a Fedora master. I uninstalled the Open Source agent prior to the PE install.

edit retag flag offensive close merge delete

Comments

If it's OK in your environment, try running "service iptables stop" on your Puppet master to turn off the firewall altogether. Does that fix the problem? If not, go ahead and start it back up with "service iptables start".

GregLarkin ( 2015-11-03 16:30:38 -0600 )edit

Here's what I (as root) get: % service iptables stop Redirecting to /bin/systemctl stop iptables.service Failed to issue method call: Unit iptables.service not loaded % systemctl | grep -i iptable % systemctl list-unit-files | grep -i iptable It looks like systemctl does not know about iptable

SteveK ( 2015-11-04 08:41:53 -0600 )edit

Ok, didn't realize you were running on CentOS 7. Try "systemctl stop firewalld" and "systemctl start firewalld" instead.

GregLarkin ( 2015-11-04 10:40:23 -0600 )edit

After "stop firewalld" on the master, the agent's 'puppet agent --test --noop' looks much more positive (I.e., Info: Caching certificate for ca, etc...). I shouldn't be flying with me shields down though.

SteveK ( 2015-11-04 12:47:50 -0600 )edit

Ok, so you'll need to open port 8140 on the Puppet master to allow incoming connections from Puppet agents.

GregLarkin ( 2015-11-04 13:00:38 -0600 )edit

add a comment

1

answered 2015-11-02 20:06:10 -0600

GregLarkin

4932 ●5 ●22 ●64 http://www.puppet.com/

updated 2015-11-04 13:03:51 -0600

This looks like a firewall issue. Can you confirm that the Windows machine is not blocking outbound connections on port 8140? Also check the check the CentOS machine and make sure the iptables (if enabled) allows connections to port 8140.

Please check this page for all of the firewall requirements to set up your Puppet master: https://docs.puppetlabs.com/pe/latest/installsystemrequirements.html#firewall-configuration

edit flag offensive delete link

add a comment

1

answered 2015-11-02 15:36:29 -0600

masterdam79
45 ●4 ●6 ●11

It seems that the agent can't reach the master. Checks that I would do in this case are ping from agent to master, telnet from agent to master, see if there are any firewall rules blocking your request on server (incoming) as well as agent (outgoing).