Puppet Certificates

Puppet Certificates
5 (100%) 15 votes

This blog describes how the puppet certificates work and what to do when it doesn’t.

After you installed the first puppet master, the CA on this master will generate a root ssl certificate. With this certificate the connection between the puppet master and puppet agent will be encrypted and secured.

To prevent certificate problems you have to comply with the following checklist before installing the puppet master software:

  • Hostname: puppet
  • Network connectivity
  • DNS -> all machines with puppet software require the same dns suffix
  • Open firewall ports: 80, 443, 8140
  • Sufficient rights

When you comply with the checklist you can install the puppet master software.
The installation will automatically generate the required certificates.

Ok, the master is done…. let’s proceed with the puppet agents.

The checklist for the puppet agents is almost the same.

  • a recognizable hostname
  • Network connectivity
  • DNS -> all machines with puppet software require the same dns suffix
  • Open firewall ports: 80, 443, 8140
  • Sufficient rights
  • Can you ping “puppet”? the agent will connect with that puppet master name.

Ok, you comply with this checklist? great job! these are the basics for having a good puppet installation.

When your agent installation is finished, you run the command “sudo puppet agent –test” and you will see that the agent will connect with the master and leave certificate request.

To show the certificate requests from puppet agents: “sudo puppet cert list –all”

If the certificate request was succesfully you’ll see the puppet agent agenthostname.domainname.ext
and the next thing to do is to sign the certificate “sudo puppet master sign agenthostname.domainname.ext”

(of course all commands are without the “”)

Now you have a basic setup and the agent can retrieve configuration from the master.
In an other blog i will show you can give an agent the desired configuration.

ok… if you followed these checklists, it will always work… but…

What to do when you have puppet certificate problems?

When you have certificate problems, the puppet agent never will pull the configuration from the master.
There are two possible problems:

  1. All Master and Agent certificates have wrong names. You have to re-generate all puppet certificates.
  2. One agent has a wrong certificate, so only the certificate on that single agents needs to be re-generated.

The next two paragraphs describe the solutions for these problems.

re-generate all puppet certificates?


On the master:

Remove the ssl dir from the first command. example:

Generate the new certificate:

Start the puppet master, but not as deamon:

As soon as you see the puppet master version, press ctrl+c to quit the process.

start the puppet master:


On the agent:

Remove the ssl dir from the first command. example:

Go to the master and sign the certificate.

Re-generate a certificate for one puppet agent?

When the puppet agent is started it will generate the certificate and will request the master to sign the certificate. When you have a wrong name in the certificate, you have the to remove the request on the master.
Simply do:

go to the agent and run:

go to the master and sign the certificate:

I hope this will clear some issues on your puppet deployments.

Please give this post a rating, as other puppet professionals will see the value of it. thank you!

Share = Care

Add a Comment

Or

Your email address will not be published. Required fields are marked *