Unable to retrieve Puppet agent SSL certificate from Puppet master

0
votes

I have configured a Puppet Master-Agent setup (OS: Ubuntu). Both can ping/ssh each other. DNS is set properly. Master is able to generate new CA and cert while Agent is throwing error when 'puppet agent -t' is executed to generate the certificates.

I received error along with the solution and I performed as suggested and further received:

screenshot of Puppet agent SSL error

Exiting; failed to retrieve certificate and waitforcert is disabled

Kindly help in getting this one resolved. Below is the /etc/puppet/puppet.conf (Same on Master-Agent)

#Settings in [main] are used if a more specific section does not set a value.
[main]
    certname = puppetmaster01.example.com
    logdir=/var/log/puppet
    vardir=/var/lib/puppet
    basemodulepath = /etc/puppetlabs/puppet/environments/production/modules:/opt/puppet/share/puppet/modules
    ssldir=/var/lib/puppet/ssl
    rundir=/var/run/puppet
    factpath=$vardir/lib/facter
    server = puppetmaster01.example.com
    user = puppet
    group = puppet
    archive_files = true
    archive_file_server = puppetmaster01.example.com

[master]
# This section is used by the Puppet master and Puppet cert applications.
    dns_alt_names = puppet,puppet.example.com,puppetmaster01,puppetmaster01.example.com,puppetagent01,puppetagent01.example.com
    certname = puppetmaster01.example.com
    reports = http,puppetdb
    reporturl = https://localhost:443/reports/upload
    node_terminus = exec
    external_nodes = /etc/puppetlabs/puppet-dashboard/external_node
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY
    storeconfigs_backend = puppetdb
    storeconfigs = true
    autosign = true

# This section is used by the Puppet agent application.
[agent]
    report = true
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    graph = true
    pluginsync = true
    environment = production
1
configurationpuppet
Try also running find /var/lib/puppet/ssl/certs -name ca.pem -delete in case the CA has changed and is cached locally. - Dominic Cleal
@DominicCleal I have followed (docs.puppet.com/puppet/3.8/ssl_regenerate_certificates.html) to regenerate certs. But now when I executed puppet agent -t, I have received the following error: Error: Could not request certificate: Connection refused - connect(2). Kindly help in getting this resolved. I am a beginner in Puppet and looks like I have messed up the Puppet Master Connection thing badly. This is becoming a showstopper for me to move forward. - Vinay Dabas
Connection refused suggests the master service is stopped - start it (perhaps the puppetmaster service, depending on your version and how you installed.) - Dominic Cleal
@DominicCleal I set up tow fresh VMs for this. I did everything again but again I am stuck at Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=puppetmaster01.example.com] Now, this is new. Though the SSL error looks similar but the one in brackets is new certificate revoked for. How to go about it? - Vinay Dabas
I would guess you have run a puppet cert clean and revoked the certificate, but it's hard to say from the limited information. - Dominic Cleal

1 Answers

0
votes

In a puppet master/agent deployment and from the docs, the administrator will need to sign the client's Cert on the puppet master. Have you signed the cert on your puppet master?

Depending on which version of puppet you're on: Try running sudo puppetserver ca sign fullnameOFhost.something.com or sudo puppet cert sign <name of host>

You can look at outstanding client certs that need signing by running sudo puppet cert list or sudo puppetserver ca list, again depending on the version.