Autosign not working correctly

asked 2014-05-08 19:40:55 -0500

Esity gravatar image

updated 2014-05-08 19:55:48 -0500

Hello, I am just getting my puppet servers working correctly. I have my Master server set up and I can manually sign certs and everything works but for some reason when I try to use autosign.conf it does not sign them. I have proper dns entries set up and the /etc/hostname on the remote servers match the dns record.

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post

[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
autosign = /etc/puppet/autosign.conf

And then inside my /etc/puppet/autosign.conf is as follows test.domain.org web.domain.org mysql.domain.org

For some reason these servers are still pending

This is what I get on the remote server.

root@test:~# puppet agent --waitforcert 5 --test
notice: Did not receive certificate

Any ideas? Thanks in advance

edit retag flag offensive close merge delete

Comments

Did you check if the test is send for puppetmaster with domain? Try execute on master: puppet cert -l and show us if the certificate is coming with domain. if not , change the resolv.conf and add domain domain.org on agent.

Renan Vicente gravatar imageRenan Vicente ( 2014-05-08 20:01:31 -0500 )edit

root@puppet:/etc/puppet/manifests# puppet cert -l "test.domain.org" (9E:55:A5:88:08:9B:7C:DC:65:AF:BF:61:9A:6C:D4:8F) "web.domain.org" (B7:BE:EA:51:FA:1D:57:3B:1D:C9:1E:5C:1F:B4:FA:A8)

Esity gravatar imageEsity ( 2014-05-08 20:11:56 -0500 )edit

Try use naïve autosigning.To enable naïve autosigning, set autosign = true in the [master] section of the CA puppet master’s puppet.conf., just to check if it's a problem with the file or not.

Renan Vicente gravatar imageRenan Vicente ( 2014-05-08 20:19:43 -0500 )edit

changed the config to show auto sign = true and then restarted the service puppet master. When I type Puppet cert list it still shows the unsigned servers. Any ideas? do I need to call a different command?

Esity gravatar imageEsity ( 2014-05-08 21:06:18 -0500 )edit

Try clean the certificate and try again. on master puppet cert clean test.domain.org , on agent find $(puppet master --configprint ssldir) -name test.domain.org.pem -delete and than try again , puppet agent -t

Renan Vicente gravatar imageRenan Vicente ( 2014-05-08 21:40:34 -0500 )edit