Ask Your Question
2

Why my puppetmaster not puppetizing new agents?

asked 2013-08-22 09:30:23 -0500

jhossain gravatar image

I am using "sudo puppet cert --sign <server>, getting "err: Could not call sign: Could not find certificate request for <server>

This puppetmaster is running puppet v2.7.18, has been puppetizing agents since July 2012, but recently its root patrition became full. The server started acting up since that point. Now, no new agents are being puppetized.

The agent gets the following error:

puppet agent --test err: Could not retrieve catalog from remote server: getaddrinfo: Name or service not known warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report ... (more)

edit retag flag offensive close merge delete

Comments

Check to see what pending certs you have with `sudo puppet cert list --all`. Perhaps the cert was requested as a fqdn or non-fqdn.

banjer gravatar imagebanjer ( 2013-08-22 09:46:17 -0500 )edit

HI banjer; Yes, the cert was requested as a fqdn (like: puppet cert --sign <server.fqdn> the command 'sudo puppet cert list --all' lists all existing certs, the new is ...(more)

jhossain gravatar imagejhossain ( 2013-08-22 10:21:30 -0500 )edit

Oh yes, my bad - you can see pending certs without the --all switch as you probably know already. There is no limitation to the number of agents that I'm aware of.

banjer gravatar imagebanjer ( 2013-08-23 08:04:41 -0500 )edit

5 Answers

Sort by ยป oldest newest most voted
3

answered 2013-08-23 08:07:53 -0500

banjer gravatar image

If you're not seeing any pending certs on your puppet master with sudo puppet cert list, I would try to clean out any requests on the agent and master.

From the agent

sudo rm -rf /var/lib/puppet/ssl

From the puppet master

sudo rm -rf /var/lib/puppet/ssl/certificate_requests/*

Then try requesting another cert, by running sudo puppet agent -t from the agent again.

edit flag offensive delete link more

Comments

banjer, It was a good suggestion. I cleaned up old certificate from agent, reran puppet agent -t, still failing, any other suggestions?

jhossain gravatar imagejhossain ( 2013-08-23 11:54:08 -0500 )edit

You said that you cleaned up the old certificate from the agent, but did you remove the certificate requests from the master, as shown above?

GregLarkin gravatar imageGregLarkin ( 2013-08-26 16:52:03 -0500 )edit

Hi GregLarkin; There was no certificate information for that particular agent on the puppetmaster, so no cleaning was needed.

jhossain gravatar imagejhossain ( 2013-08-26 18:43:16 -0500 )edit

Can you reach the puppet master host from your puppet client host? Try ping, and see if you can `telnet puppetmasterhost 8140` from the client. That's the default port ...(more)

banjer gravatar imagebanjer ( 2013-08-27 08:37:55 -0500 )edit

Hi banjer; Yes, both ping and telnet shows connection to the puppet master host from my agent host: telnet master.fqdn 8140 Trying master.ip.address... Connected to host.fqdn ...(more)

jhossain gravatar imagejhossain ( 2013-08-27 14:12:10 -0500 )edit
0

answered 2013-08-26 19:01:57 -0500

updated 2013-08-30 09:33:21 -0500

As you know, before a Puppet Agent can speak to the Puppet Master, it must first generate a certificate, send the public certificate to the Master so that you can later sign the certificate on the Master. In your case, it appears that the Agent is unable to send it's certificate to the master. The Agent will transfer the certificate is to the Master using SSL. I bet that the SSL exchange is failing in the initial stages due to a hostname, SSL or certificate problem.

On both the Puppetmaster and the client, doublecheck the hostnames for the host ... (more)

edit flag offensive delete link more

Comments

Hi Stefan; Interesting! We ran into this problem after the root partition on the puppet master got 100% full. We think the overall system is not functioning properly. We are ...(more)

jhossain gravatar imagejhossain ( 2013-08-27 14:15:44 -0500 )edit
1

If the partition is full, the perhaps the Puppetmaster Certificate Authority cannot create the files needed for the certificate exchange. That would prevent PKI from working.

stefanlasiewski gravatar imagestefanlasiewski ( 2013-09-19 18:15:12 -0500 )edit

Why the hell can't I expand your comments... What was the solution when the partition was 100% full? Any CA specific commands?

Kozzio gravatar imageKozzio ( 2016-02-15 08:10:50 -0500 )edit
0

answered 2013-08-23 11:50:01 -0500

jhossain gravatar image

Hi banjer;

The puppetmaster does not have any pending certificates. The /var/lib/puppet/ssl/certificaterequests/ is empty sudo ls -la /var/lib/puppet/ssl/certificaterequests/ total 8 drwxr-xr-x 2 puppet puppet 4096 Jul 29 16:13 . drwxrwx--x 8 puppet puppet 4096 Jul 2 2012 ..

On agent, /var/lib/puppet/ssl had old certificate related files and folders. Deleted them using "sudo rm -rf /var/lib/puppet/ssl"

Then ran the command: puppet agent -t Output: info: Creating a new SSL key for <host.fqdn> err: Could not request certificate: getaddrinfo: Name or service not known Exiting; failed ... (more)

edit flag offensive delete link more
0

answered 2013-12-10 18:45:28 -0500

the_wolverine gravatar image

I mv /etc/puppetlabs/puppet/ssl to /etc/puppetlabs/puppet/ssl_bak because I'm a scaredy cat. But after that I was able to request the cert:

puppet agent --server <puppet-master> --waitforcert 60 --test</puppet-master>

Then from the console, accept the pending node request and done: Notice: Finished catalog run in 0.13 seconds

edit flag offensive delete link more
-2

answered 2013-12-27 11:26:20 -0500

worked for me. thanks !

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2013-08-22 09:30:23 -0500

Seen: 17,837 times

Last updated: Dec 27 '13