Ask Your Question
0

Exiting; no certificate found and waitforcert is disabled

asked 2015-12-22 08:32:20 -0500

ak1001 gravatar image

I have puppetmaster server installed on centos7 and a pptclient01 windows machine which runs the puppet agent.

puppet agent -t

and I get the above error Then got to centos7 puppetmaster

puppet cert list Notice: Signed certificate request for ca

puppet cert list

I get nothing

I go back to the puppetagent pptclient01 and I get the same error.

I did do netstat -an| grep 8140 on the puppetmaster and it does establish a connection from client to the master

So I am really not clear now on what is going on

puppet.conf on agent looks like this [main] certname=puppet server=puppetmaster.northeurope.cloud... pluginsync=true autoflush=true environment=production

[agent] server=puppetmaster.northeurope.cloud... certificate_revocation = false

I am not sure what to do to get the certs to work properly.

Any help will be appreciated

I tried this as well rm -rf /var/lib/puppet/ssl/*

It's after this that I get the Notice: Signed certificate request for ca I believe this is for the puppetmaster not the client certificate request.

Thanks

edit retag flag offensive close merge delete

Comments

when you removed the SSL dir, did you regenerate the certs again?

Anandk gravatar imageAnandk ( 2015-12-23 02:46:59 -0500 )edit

3 Answers

Sort by ยป oldest newest most voted
0

answered 2015-12-22 09:57:10 -0500

RMJ gravatar image

You need to sign the client's certificate on your puppet master. From the deployment docs:

In an agent/master deployment, an admin must approve a certificate request for each agent node before that node can fetch configurations. Agent nodes will request certificates the first time they attempt to run.

Periodically log into the CA puppet master server and run sudo puppet cert list to view outstanding requests. Run sudo puppet cert sign <NAME> to sign a request, or sudo puppet cert sign --all to sign all pending requests. An agent node whose request has been signed on the master will run normally on its next attempt.

edit flag offensive delete link more
0

answered 2015-12-23 04:30:26 -0500

ak1001 gravatar image

There is still a problem

I think the problem before was that it was not creating certificate at all. I changed certificate setting on the agent side to puppetclient1 in the puppet.conf and it created a certificate. I did all the deleting the ssl content on both side and the date/times are correct on both servers and regenerated the certificates

I have signed it now so in the /var/lib/puppet/ssl/ca/signed I have 2 certificates, one for puppetclient1 and puppetmaster. see below -rw-r--r--. 1 puppet puppet 2289 Dec 23 10:13 puppetmaster.vkszjqglddkeljspfb2xaf43wf.fx.internal.cloudapp.net.pem -rw-r--r--. 1 puppet puppet 2017 Dec 23 10:19 puppetclient1.pem

Now I try to run the agent I still get errors when i run puppet agent -t

Error: Could not request certificate: Server hostname 'puppetmaster.northeurope. cloudapp.azure.com' did not match server certificate; expected one of puppetmast er.vkszjqglddkeljspfb2xaf43wf.fx.inte..., DNS:puppet, DNS:puppet.v kszjqglddkeljspfb2xaf43wf.fx.internal..., DNS:puppetmaster.vkszjqglddk eljspfb2xaf43wf.fx.internal.cloudapp.net Exiting; failed to retrieve certificate and waitforcert is disabled

Can someone help with this. Could it be permissions Thanks

edit flag offensive delete link more
0

answered 2015-12-23 04:44:00 -0500

FranzCC gravatar image

Hi,
your puppetmasters hostname changed but not the hosts cert file.
There's an alternative DNS field, but it didn't match the hostname.
Check out the docs for the alternative names:
https://docs.puppetlabs.com/references/latest/configuration.html#dnsaltnames

Rgds.

Franz

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-12-22 08:32:20 -0500

Seen: 13,530 times

Last updated: Dec 23 '15