Hey there, I was introduced to puppet by Luke at Velocity and I''m just starting to work on this. I''m having a bit of trouble getting the servers to accept certificates. To test the configuration, I setup two VMware images with CentOS 5.1 default installs. I picked up the RHEL5 RPMs for puppet, facter and puppet-server. I installed all the packages on the "server" which has a hostname of "puppetmaster". I start up puppetmasterd and it creates its own certs without hassle. I then installed facter and puppet on the other server which has a hostname of "agent". When I start up puppet with... puppetd --server puppetmaster --waitforcert 60 --test It creates the local certs and then just sits there. I do a puppetca -- list on the master and it says "No certificates to sign". The agent machine ends up getting a timeout. I''ve tried going through all the cert docs, cleaning all the certs and even started from fresh images. I can''t seem to get the agent to send a request to the master. Neither machine has a FQDN on the DNS side, but both have each other in /etc/hosts. I''m at a loss as to what to try. Thanks. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Frank Sweetser
2008-Jul-08 00:16 UTC
[Puppet Users] Re: New to Puppet - Certificate Problems
Matt wrote:> Hey there, > > I was introduced to puppet by Luke at Velocity and I''m just starting > to work on this. I''m having a bit of trouble getting the servers to > accept certificates. To test the configuration, I setup two VMware > images with CentOS 5.1 default installs. I picked up the RHEL5 RPMs > for puppet, facter and puppet-server. I installed all the packages on > the "server" which has a hostname of "puppetmaster". > > I start up puppetmasterd and it creates its own certs without hassle. > I then installed facter and puppet on the other server which has a > hostname of "agent". When I start up puppet with... > > puppetd --server puppetmaster --waitforcert 60 --test > > It creates the local certs and then just sits there. I do a puppetca -- > list on the master and it says "No certificates to sign". The agent > machine ends up getting a timeout. I''ve tried going through all the > cert docs, cleaning all the certs and even started from fresh images. > I can''t seem to get the agent to send a request to the master. > > Neither machine has a FQDN on the DNS side, but both have each other > in /etc/hosts. I''m at a loss as to what to try. Thanks.IIRC, the default installation for RHEL/CentOS is to set up the firewall in default deny mode. Check your iptables configuration, and make sure that the server is capable of receiving incoming connection on the puppetmaster port, by default 8140. -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Yeah. Disabled iptables, confirmed machines can talk to each other and that puppetmaster had a listen port open on 8140. Still nothing. On Jul 7, 5:16 pm, Frank Sweetser <f...@WPI.EDU> wrote:> Matt wrote: > > Hey there, > > > I was introduced to puppet by Luke at Velocity and I''m just starting > > to work on this. I''m having a bit of trouble getting the servers to > > accept certificates. To test the configuration, I setup two VMware > > images with CentOS 5.1 default installs. I picked up the RHEL5 RPMs > > for puppet, facter and puppet-server. I installed all the packages on > > the "server" which has a hostname of "puppetmaster". > > > I start up puppetmasterd and it creates its own certs without hassle. > > I then installed facter and puppet on the other server which has a > > hostname of "agent". When I start up puppet with... > > > puppetd --server puppetmaster --waitforcert 60 --test > > > It creates the local certs and then just sits there. I do a puppetca -- > > list on the master and it says "No certificates to sign". The agent > > machine ends up getting a timeout. I''ve tried going through all the > > cert docs, cleaning all the certs and even started from fresh images. > > I can''t seem to get the agent to send a request to the master. > > > Neither machine has a FQDN on the DNS side, but both have each other > > in /etc/hosts. I''m at a loss as to what to try. Thanks. > > IIRC, the default installation for RHEL/CentOS is to set up the firewall in > default deny mode. Check your iptables configuration, and make sure that the > server is capable of receiving incoming connection on the puppetmaster port, > by default 8140. > > -- > Frank Sweetser fs at wpi.edu | For every problem, there is a solution that > WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken > GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Blake Barnett
2008-Jul-08 03:34 UTC
[Puppet Users] Re: New to Puppet - Certificate Problems
It sounds a bit like you''re seeing this issue: http://reductivelabs.com/trac/puppet/ticket/1200 You might want to try the just-announced 0.24.5rc1 to see if it resolves it for you. Either way, I''d recommend you try the --debug switch when running both the client and server to see what''s going on. -Blake On Jul 7, 2008, at 8:21 PM, Matt wrote:> > Yeah. Disabled iptables, confirmed machines can talk to each other and > that puppetmaster had a listen port open on 8140. Still nothing. > > On Jul 7, 5:16 pm, Frank Sweetser <f...@WPI.EDU> wrote: >> Matt wrote: >>> Hey there, >> >>> I was introduced to puppet by Luke at Velocity and I''m just starting >>> to work on this. I''m having a bit of trouble getting the servers to >>> accept certificates. To test the configuration, I setup two VMware >>> images with CentOS 5.1 default installs. I picked up the RHEL5 RPMs >>> for puppet, facter and puppet-server. I installed all the packages >>> on >>> the "server" which has a hostname of "puppetmaster". >> >>> I start up puppetmasterd and it creates its own certs without >>> hassle. >>> I then installed facter and puppet on the other server which has a >>> hostname of "agent". When I start up puppet with... >> >>> puppetd --server puppetmaster --waitforcert 60 --test >> >>> It creates the local certs and then just sits there. I do a >>> puppetca -- >>> list on the master and it says "No certificates to sign". The agent >>> machine ends up getting a timeout. I''ve tried going through all the >>> cert docs, cleaning all the certs and even started from fresh >>> images. >>> I can''t seem to get the agent to send a request to the master. >> >>> Neither machine has a FQDN on the DNS side, but both have each other >>> in /etc/hosts. I''m at a loss as to what to try. Thanks. >> >> IIRC, the default installation for RHEL/CentOS is to set up the >> firewall in >> default deny mode. Check your iptables configuration, and make >> sure that the >> server is capable of receiving incoming connection on the >> puppetmaster port, >> by default 8140. >> >> -- >> Frank Sweetser fs at wpi.edu | For every problem, there is a >> solution that >> WPI Senior Network Engineer | is simple, elegant, and wrong. - >> HL Mencken >> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 >> 8CEC > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Can you post your log message in the terminal? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
This was all just me being stupid. Had a typo in my hosts file. Amazing what a good night''s sleep will reveal. Thanks for your help. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---