I can''t get a new client working with my puppet master. When I try to run ''puppet agent --test'' on the client, I get err: Could not request certificate: Connection refused - connect(2) Exiting; failed to retrieve certificate and waitforcert is disabled I can''t telnet from the client to the server on port 8140. There are no firewalls between the 2 servers. I''ve turned off iptables and ip6tables on both servers. The times are sync''d. Both servers can ping each other by IP address and hostname. Doing a netstat -an on the puppet master server shows that it is not listening on port 8140. Yet, I have verified that pe-puppet is running. Any suggestions? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/WEyyqRVvbgsJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Von: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] Im Auftrag von Mike Gesendet: Dienstag, 13. März 2012 15:04 An: puppet-users@googlegroups.com Betreff: [Puppet Users] Can''t send certificate request I can''t get a new client working with my puppet master. When I try to run ''puppet agent --test'' on the client, I get err: Could not request certificate: Connection refused - connect(2) Exiting; failed to retrieve certificate and waitforcert is disabled I can''t telnet from the client to the server on port 8140. There are no firewalls between the 2 servers. I''ve turned off iptables and ip6tables on both servers. The times are sync''d. Both servers can ping each other by IP address and hostname. Doing a netstat -an on the puppet master server shows that it is not listening on port 8140. Yet, I have verified that pe-puppet is running. Any suggestions? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/WEyyqRVvbgsJ. To post to this group, send email to puppet-users@googlegroups.com<mailto:puppet-users@googlegroups.com>. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com<mailto:puppet-users+unsubscribe@googlegroups.com>. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Try puppet agent --verbose --debug --server your.server --environment your_env --waitforcert 60 --no-daemonize Bernd Von: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] Im Auftrag von Bernd Adamowicz Gesendet: Dienstag, 13. März 2012 15:54 An: ''puppet-users@googlegroups.com'' Betreff: AW: [Puppet Users] Can''t send certificate request Von: puppet-users@googlegroups.com<mailto:puppet-users@googlegroups.com> [mailto:puppet-users@googlegroups.com] Im Auftrag von Mike Gesendet: Dienstag, 13. März 2012 15:04 An: puppet-users@googlegroups.com<mailto:puppet-users@googlegroups.com> Betreff: [Puppet Users] Can''t send certificate request I can''t get a new client working with my puppet master. When I try to run ''puppet agent --test'' on the client, I get err: Could not request certificate: Connection refused - connect(2) Exiting; failed to retrieve certificate and waitforcert is disabled I can''t telnet from the client to the server on port 8140. There are no firewalls between the 2 servers. I''ve turned off iptables and ip6tables on both servers. The times are sync''d. Both servers can ping each other by IP address and hostname. Doing a netstat -an on the puppet master server shows that it is not listening on port 8140. Yet, I have verified that pe-puppet is running. Any suggestions? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/WEyyqRVvbgsJ. To post to this group, send email to puppet-users@googlegroups.com<mailto:puppet-users@googlegroups.com>. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com<mailto:puppet-users+unsubscribe@googlegroups.com>. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com<mailto:puppet-users@googlegroups.com>. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com<mailto:puppet-users+unsubscribe@googlegroups.com>. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I tried that command as you suggested. As far as I can tell, it didn''t give me much useful information. Here is what it had: debug: Failed to load library ''selinux'' for feature ''selinux'' debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: /File[/etc/puppetlabs/puppet/ssl]: Autorequiring File[/etc/puppetlabs/puppet] debug: /File[/var/opt/lib/pe-puppet/lib]: Autorequiring File[/var/opt/lib/pe-puppet] It then continued to autorequire a bunch of ssl files - basically the entire directory structure of /etc/puppetlabs/puppet/ssl as well as all the pem files. In /var/log/messages, I see this on both the puppet master server and the client: Mar 13 10:42:38 puppet-master puppet-agent[4729]: Could not request certificate: Connection refused - connect(2) "puppet-master" is the hostname of my puppet server. However, "puppet-agent" is NOT the name of the client trying to request a certificate. That is the name of an old test box that worked successfully. Is that just a generic name that puppet uses, or is it trying to use an old config/cert? On Tuesday, March 13, 2012 9:54:59 AM UTC-5, badamowicz wrote:> > Try > > > > puppet agent --verbose --debug --server your.server --environment your_env-- > waitforcert 60 --no-daemonize > > > > Bernd > > > > ** > *Betreff:* AW: [Puppet Users] Can''t send certificate request > > > > > > > > > > *Von:* puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com<puppet-users@googlegroups.com>] > *Im Auftrag von *Mike > *Gesendet:* Dienstag, 13. März 2012 15:04 > *An:* puppet-users@googlegroups.com > *Betreff:* [Puppet Users] Can''t send certificate request > > > > I can''t get a new client working with my puppet master. When I try to run > ''puppet agent --test'' on the client, I get > > err: Could not request certificate: Connection refused - connect(2) > Exiting; failed to retrieve certificate and waitforcert is disabled > > I can''t telnet from the client to the server on port 8140. There are no > firewalls between the 2 servers. I''ve turned off iptables and ip6tables on > both servers. The times are sync''d. Both servers can ping each other by IP > address and hostname. > > Doing a netstat -an on the puppet master server shows that it is not > listening on port 8140. Yet, I have verified that pe-puppet is running. > > Any suggestions? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/WEyyqRVvbgsJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/UpzL-l-0nasJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I think I''ve found the solution. I''m not sure what the original root issue was, but at some point during the troubleshooting process, I cleared out the certs on the puppet master server. This was preventing pe-httpd from starting. Once I restored the certs, pe-httpd could start, and everything worked. On Tuesday, March 13, 2012 9:04:15 AM UTC-5, Mike wrote:> > I can''t get a new client working with my puppet master. When I try to run > ''puppet agent --test'' on the client, I get > > err: Could not request certificate: Connection refused - connect(2) > Exiting; failed to retrieve certificate and waitforcert is disabled > > I can''t telnet from the client to the server on port 8140. There are no > firewalls between the 2 servers. I''ve turned off iptables and ip6tables on > both servers. The times are sync''d. Both servers can ping each other by IP > address and hostname. > > Doing a netstat -an on the puppet master server shows that it is not > listening on port 8140. Yet, I have verified that pe-puppet is running. > > Any suggestions? >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/d8FK_Ycgp2QJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, Mar 13, 2012 at 7:04 AM, Mike <mrwboilers@gmail.com> wrote:> I can''t get a new client working with my puppet master. When I try to run > ''puppet agent --test'' on the client, I get > > err: Could not request certificate: Connection refused - connect(2) > Exiting; failed to retrieve certificate and waitforcert is disabled > > I can''t telnet from the client to the server on port 8140. There are no > firewalls between the 2 servers. I''ve turned off iptables and ip6tables on > both servers. The times are sync''d. Both servers can ping each other by IP > address and hostname. > > Doing a netstat -an on the puppet master server shows that it is not > listening on port 8140. Yet, I have verified that pe-puppet is running. > > Any suggestions?Is pe-httpd running? Apache should be listening on 8140. Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.