Check that both the puppetmaster and the client machine can resolve the FQDN of the puppetmaster. For this to work, you need to add the puppetmaster IP to your /etc/hosts in both machines, then check it using:
$ ping puppetmaster or $ getent hosts puppetmaster
Check that you can reach the puppetmaster from the client machine
$ telnet puppetmaster 8140
If you get connection refused by the server, check that the port is opened in the puppetmaster
# iptables -L -n -v
Or add a rule to allow incoming traffic to that port (this is dependent on how is iptables already configured)
# iptables -A INPUT -p tcp --dport 8140 -m state --state NEW -j ACCEPT
And run from the client
# puppet agent --test --waitforcert 5
Afterwards, from the puppetmaster
# puppet cert list
will show you the cert ready to be sign, you can check it belongs to the client machine comparing the fingerprint. Sign it:
# puppet cert sign $client
Puppetmaster will compile a catalog for the client and you can follow how it is applied in the client console.
To regenerate the certificates on the puppetmaster, stop the ppuppetmaster and
# find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete
When you start the puppetmaster again, it will regenerate the certificate for you.
On the client side, it is enough to remove the conttents of the ssldir, usually /var/lib/puppet/ssl, but check as above, the next time you invoke
# puppet agent --test --waitforcert 5
it will be recreated.
Eventually, check the CN of the certificate of the puppetmaster with
# puppet cert list --all
and match any of the names/ALT names to the entry in your /etc/hosts.
沒有留言:
張貼留言