I've been banging my head against the wall with this one. Probably a
simple fix but I'm not seeing it at the moment.
I have a proof of concept setup in our lab where I have a central
Foreman/Puppet server. The Puppet server on the Foreman box has the
responsibility of keeping things straight on subordinate "remote servers"
that in production will be located in the same data center as the client
base they will server.
To get the POC remote server set up I manually load the Puppet client
software on the host (later it will come pre-loaded on a VM template) and I
run the Puppet client manually. That first run is all about the certs and
getting the Foreman ENC aware of the host. Adding a couple of config
groups the the host and next we run puppet agent -t-test --server=<foreman
host fqdn> and all the configuration files get loaded and then things go
sideways.
The Puppet Master daemon will not run on the host. What I'm seeing in
/var/log/messages is as follows:
Feb 18 19:48:20 <hostname> puppet-master[32593]: Could not prepare for
execution: The certificate retrieved from the master does not match the
agent's private key.
Feb 18 19:48:20 <hostname>puppet-master[32593]: Certificate
fingerprint:
BC:0C:19:83:62:F8:A6:AD:ED:85:B7:19:B6:AD:75:FE:36:62:D7:43:C9:5B:76:64:E8:A1:F5:C1:FE:1F:39:21
Feb 18 19:48:20 <hostname>puppet-master[32593]: To fix this, remove the
certificate from both the master and the agent and then start a puppet run,
which will automatically regenerate a certficate.
Feb 18 19:48:20 <hostname> puppet-master[32593]: On the master:
Feb 18 19:48:20 <hostname> puppet-master[32593]: puppet cert clean <agent
host FQDN>
Feb 18 19:48:20 <hostname> puppet-master[32593]: On the agent:
Feb 18 19:48:20 <hostname> puppet-master[32593]: 1a. On most platforms:
find /var/lib/puppet/ssl -name <agent host FQDN> -delete
Feb 18 19:48:20 <hostname>puppet-master[32593]: 1b. On Windows:
del "/var/lib/puppet/ssl/<agent host FQDN>.pem" /f
Feb 18 19:48:20 <hostname> puppet-master[32593]: 2. puppet agent -t
Here is my puppet.conf (sanitized) from my clent system
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
# Allow services in the 'puppet' group to access key (Foreman + proxy)
privatekeydir = $ssldir/private_keys { group = service }
hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
# Puppet 3.0.x requires this in both [main] and [master] - harmless on
agents
autosign = $confdir/autosign.conf { mode = 664 }
show_diff = false
hiera_config = $confdir/hiera.yaml
### Next part of the file is managed by a different template ###
## Module: 'puppet'
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuration. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$statedir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
# Disable the default schedules as they cause continual skipped
# resources to be displayed in Foreman - only for Puppet >= 3.4
default_schedules = false
report = true
pluginsync = true
masterport = 8140
environment = production
certname = <agent host fqdn>
server = <puppet host fqdn>
listen = false
splay = false
splaylimit = 1800
runinterval = 1800
noop = false
configtimeout = 600
[master]
storeconfigs = true
storeconfigs_backend = puppetdb
autosign = $confdir/autosign.conf { mode = 664 }
reports = foreman
external_nodes = /etc/puppet/node.rb
node_terminus = exec
ca = true
ssldir = /var/lib/puppet/ssl
certname = <agent host FQDN>
strict_variables = false
environmentpath = /etc/puppet/environments
basemodulepath =
/etc/puppet/environments/common:/etc/puppet/modules:/usr/share/puppet/modules
Just to be clear: <puppet host FQDN> is the central Foreman/Puppet
Master's FQDN not the agent FQDN that where a "remote" Puppet master is
trying to start.
Thoughts? Am I going about this wrong?
--
Peter L. Berghold salty.cowd...@gmail.com
h <http://blog.berghold.net>ttp://science-fiction.berghold.net
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAArvnv2aEVJ3Zoq06Ose-6SCFNsqjJ9f%3D%3DvZR46%3DFFubJ9K9sg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
