I have configured a Puppet Master-Agent setup (OS: Ubuntu). Both can ping/ssh each other. DNS is set properly. Master is able to generate new CA and cert while Agent is throwing error when 'puppet agent -t' is executed to generate the certificates.
I received error along with the solution and I performed as suggested and further received:
Exiting; failed to retrieve certificate and waitforcert is disabled
Kindly help in getting this one resolved. Below is the /etc/puppet/puppet.conf (Same on Master-Agent)
#Settings in [main] are used if a more specific section does not set a value.
[main]
certname = puppetmaster01.example.com
logdir=/var/log/puppet
vardir=/var/lib/puppet
basemodulepath = /etc/puppetlabs/puppet/environments/production/modules:/opt/puppet/share/puppet/modules
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
server = puppetmaster01.example.com
user = puppet
group = puppet
archive_files = true
archive_file_server = puppetmaster01.example.com
[master]
# This section is used by the Puppet master and Puppet cert applications.
dns_alt_names = puppet,puppet.example.com,puppetmaster01,puppetmaster01.example.com,puppetagent01,puppetagent01.example.com
certname = puppetmaster01.example.com
reports = http,puppetdb
reporturl = https://localhost:443/reports/upload
node_terminus = exec
external_nodes = /etc/puppetlabs/puppet-dashboard/external_node
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
storeconfigs_backend = puppetdb
storeconfigs = true
autosign = true
# This section is used by the Puppet agent application.
[agent]
report = true
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
graph = true
pluginsync = true
environment = production
In a puppet master/agent deployment and from the docs, the administrator will need to sign the client's Cert on the puppet master. Have you signed the cert on your puppet master?
Depending on which version of puppet you're on: Try running sudo puppetserver ca sign fullnameOFhost.something.com
or sudo puppet cert sign <name of host>
You can look at outstanding client certs that need signing by running sudo puppet cert list
or sudo puppetserver ca list
, again depending on the version.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.