2013年8月1日 星期四

Troubleshooting steps on puppet certificate

Check that both the puppetmaster and the client machine can resolve the FQDN of the puppetmaster. For this to work, you need to add the puppetmaster IP to your /etc/hosts in both machines, then check it using:

$ ping puppetmaster or $ getent hosts puppetmaster

Check that you can reach the puppetmaster from the client machine

$ telnet puppetmaster 8140

If you get connection refused by the server, check that the port is opened in the puppetmaster

# iptables -L -n -v

Or add a rule to allow incoming traffic to that port (this is dependent on how is iptables already configured)

# iptables -A INPUT -p tcp --dport 8140 -m state --state NEW -j ACCEPT

And run from the client

# puppet agent --test --waitforcert 5

Afterwards, from the puppetmaster

# puppet cert list

will show you the cert ready to be sign, you can check it belongs to the client machine comparing the fingerprint. Sign it:

# puppet cert sign $client

Puppetmaster will compile a catalog for the client and you can follow how it is applied in the client console.

To regenerate the certificates on the puppetmaster, stop the ppuppetmaster and

# find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete

When you start the puppetmaster again, it will regenerate the certificate for you.

On the client side, it is enough to remove the conttents of the ssldir, usually /var/lib/puppet/ssl, but check as above, the next time you invoke

# puppet agent --test --waitforcert 5

it will be recreated.

Eventually, check the CN of the certificate of the puppetmaster with

# puppet cert list --all

and match any of the names/ALT names to the entry in your /etc/hosts.

沒有留言:

如何下載Facebook 相簿跟影片

影片:透過chrome plug-in : Video Downloader for Facebook<sup>TM</sup> 相簿: 透過chrome plug-in : Tampermonkey 搭配script : Facebo...