Wednesday, 7 November 2018

Configuring puppet master and agent to sign certificates

Configuring puppet master and agent to sign certificates


While working with Puppet for the first time, often it could happen that due to various issues, we will not be able to complete basic configurations and hence spend lot of time debugging problem. This blog is an attempt to cut short those issues that are usually faced while configuring puppet master and agent and finally sign certificates.

Some of the usual issues faced are while running puppet agent --test command below exception occur.

Could not request certificate: The certificate retrieved from the master does not match the agent's private key

Could not request certificate: getaddrinfo: Name of service not known

Below steps can be followed for smooth configurations.



 1)     Make sure in both master and agent machine you resolve the hosts by going to
/etc/hosts file as given below:

10.2.3.4 puppet
10.2.3.5 node

Note here any host name and agent name can be given for your reference.

     2) Set variables in puppet.conf in master and agent machine.

In master machine (linux)
/etc/puppetlabs/puppet/puppet.conf

dns_alt_names = puppet
certname=puppetcert
environment=prod

Note here that dns_alt_name should be matching host name given in step(1).
certname can be any name to your certificate
environment is optional variable.

In Agent
/etc/puppetlabs/puppet/puppet.conf

server=puppet
certname=node1

Note here server should be matching puppet host name provided. In this example it is “puppet”
And again certname can be any name to your certificate.


3   3)   Restart both master and agent machine as you have resolved hosts.
     4)  Start puppet server in master machine with this command.


systemctl start puppetserver

check status of puppetserver

systemctl status puppetserver




puppetserver.service - puppetserver Service
   Loaded: loaded (/lib/systemd/system/puppetserver.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-11-07 18:29:03 IST; 16s ago
  Process: 2710 ExecStart=/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver start (code=exited, status=0/SUCCESS)
 Main PID: 2727 (java)
    Tasks: 26 (limit: 4915)
   Memory: 1.2G
      CPU: 1min 42.519s
   CGroup: /system.slice/puppetserver.service
           └─2727 /usr/bin/java -Xms3g -Xmx3g -XX:MaxPermSize=256m -Djava.security.egd=/dev/urandom -XX:OnOutOfMemoryError=kill -9 %p -cp /opt/puppetlabs/server/apps/p

Nov 07 18:27:16 master systemd[1]: Starting puppetserver Service...
Nov 07 18:27:16 master puppetserver[2710]: OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
Nov 07 18:29:03 master systemd[1]: Started puppetserver Service.


Above will confirm that service is up and running.

      5)  Start agent puppet with this command

puppet resource service puppet ensure=running enable=true

Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
  ensure => 'running',
  enable => 'true',
}

Above will confirm that agent is running.

      6) Now test agent by calling this command to generate certificate at node/agent

        puppet agent --test



Ignore any error that appears

      7) Now come to master machine and apply certificate using this command

sudo /opt/puppetlabs/bin/puppet cert list
"agentcert1"        (SHA256) 76:DD:B1:02:16:D7:BA:0F:AB:46:28:D9:7D:D4:75:DF:F7:52:D3:19:65:11:C9:B1:F7:5D:75:1B:DB:2E:3A:39
  "node"              (SHA256) 6C:D1:8C:40:A1:52:C6:F7:CE:44:FB:35:8C:EB:12:3D:2E:C8:F9:09:6B:CE:69:C7:D8:15:DA:A5:6E:17:8E:3B
  "slave.domain.name" (SHA256) A8:F8:AC:DB:8F:65:F0:B9:A5:37:23:F0:FC:1F:27:23:AB:C4:F2:5A:FB:4E:50:6B:55:3D:37:54:C1:0E:85:F8

Above we can see that all the certificates are listed which are yet to be signed. Since we have certificate with name "node" given for agent we can sign that. 


Sign certificate using this command:

sudo /opt/puppetlabs/bin/puppet cert sign node

"agentcert1"        (SHA256) 76:DD:B1:02:16:D7:BA:0F:AB:46:28:D9:7D:D4:75:DF:F7:52:D3:19:65:11:C9:B1:F7:5D:75:1B:DB:2E:3A:39
  "node"              (SHA256) 6C:D1:8C:40:A1:52:C6:F7:CE:44:FB:35:8C:EB:12:3D:2E:C8:F9:09:6B:CE:69:C7:D8:15:DA:A5:6E:17:8E:3B
  "slave.domain.name" (SHA256) A8:F8:AC:DB:8F:65:F0:B9:A5:37:23:F0:FC:1F:27:23:AB:C4:F2:5A:FB:4E:50:6B:55:3D:37:54:C1:0E:85:F8

       8)  Now certificate is signed. And again when you run agent test command at agent it will apply the catalog:
sudo /opt/puppetlabs/bin/puppet agent –test

Info: Caching certificate for node
Info: Caching certificate for node
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for node
Info: Applying configuration version '1541597092'
Notice: /Stage[main]/Main/File[/tmp/it_works.txt]/ensure: defined content as '{md5}c8efc631283aebe758b494818c5842a1'
Notice: Applied catalog in 0.10 seconds


If you have any questions about this do write in comment below. 

Hope this blog has been useful to you. If yes do follow my blogs by entering your email by 
clicking on "Follow" (blue) button. 

You can as well explore my 

Youtube Channel: https://www.youtube.com/user/srinivaskinik

And 

facebook page: https://www.facebook.com/srinivaskinikalmady/

Thank you.


No comments:

Post a Comment

How to schedule RFT (Rational Functional Tester) scripts to run using Jenkins / schedule

How to schedule RFT (Rational Functional Tester) scripts to run using Jenkins / schedule 1. Create a batch file with following content ...