Puppet Certificates
|This blog describes how the puppet certificates work and what to do when it doesn’t.
After you installed the first puppet master, the CA on this master will generate a root ssl certificate. With this certificate the connection between the puppet master and puppet agent will be encrypted and secured.
To prevent certificate problems you have to comply with the following checklist before installing the puppet master software:
- Hostname: puppet
- Network connectivity
- DNS -> all machines with puppet software require the same dns suffix
- Open firewall ports: 80, 443, 8140
- Sufficient rights
When you comply with the checklist you can install the puppet master software.
The installation will automatically generate the required certificates.
Ok, the master is done…. let’s proceed with the puppet agents.
The checklist for the puppet agents is almost the same.
- a recognizable hostname
- Network connectivity
- DNS -> all machines with puppet software require the same dns suffix
- Open firewall ports: 80, 443, 8140
- Sufficient rights
- Can you ping “puppet”? the agent will connect with that puppet master name.
Ok, you comply with this checklist? great job! these are the basics for having a good puppet installation.
When your agent installation is finished, you run the command “sudo puppet agent –test” and you will see that the agent will connect with the master and leave certificate request.
To show the certificate requests from puppet agents: “sudo puppet cert list –all”
If the certificate request was succesfully you’ll see the puppet agent agenthostname.domainname.ext
and the next thing to do is to sign the certificate “sudo puppet master sign agenthostname.domainname.ext”
(of course all commands are without the “”)
Now you have a basic setup and the agent can retrieve configuration from the master.
In an other blog i will show you can give an agent the desired configuration.
ok… if you followed these checklists, it will always work… but…
What to do when you have puppet certificate problems?
When you have certificate problems, the puppet agent never will pull the configuration from the master.
There are two possible problems:
- All Master and Agent certificates have wrong names. You have to re-generate all puppet certificates.
- One agent has a wrong certificate, so only the certificate on that single agents needs to be re-generated.
The next two paragraphs describe the solutions for these problems.
re-generate all puppet certificates?
On the master:
1 |
sudo puppet master --configprint ssldir |
1 |
sudo service puppetmaster stop |
Remove the ssl dir from the first command. example:
1 |
sudo rm -rf /var/lib/puppet/ssl |
Generate the new certificate:
1 |
sudo puppet cert list -a |
Start the puppet master, but not as deamon:
1 |
sudo puppet master --no-daemonize --verbose |
As soon as you see the puppet master version, press ctrl+c to quit the process.
start the puppet master:
1 |
sudo service puppetmaster start |
On the agent:
1 |
sudo puppet agent --configprint ssldir |
1 |
sudo service puppet stop |
Remove the ssl dir from the first command. example:
1 |
sudo rm -rf /var/lib/puppet/ssl |
1 |
sudo service puppet start |
1 |
sudo puppet agent --test |
Go to the master and sign the certificate.
1 |
sudo puppet master sign agenthostname.domainname.ext |
Re-generate a certificate for one puppet agent?
When the puppet agent is started it will generate the certificate and will request the master to sign the certificate. When you have a wrong name in the certificate, you have the to remove the request on the master.
Simply do:
1 |
sudo puppet cert clean agenthostname.domainname.ext |
go to the agent and run:
1 |
sudo puppet agent --test |
go to the master and sign the certificate:
1 |
sudo puppet master sign agenthostname.domainname.ext |
I hope this will clear some issues on your puppet deployments.
Please give this post a rating, as other puppet professionals will see the value of it. thank you!