Skip to main content

Troubleshooting Puppet Communication

Hands-On Lab

 

Photo of Elle Krout

Elle Krout

Content Team Lead in Content

Length

00:30:00

Difficulty

Intermediate

In an ideal world, we would be able to provision our hosts and have things work consistently without problems every day ― but that is not the case because a system that is completely immune to all issues does not exist. In this hands-on lab, we explore the reasons why a node with the Puppet agent is unable to connect to our Puppet master. We will start this lesson by ensuring that there are no connection issues overall and then explore using the certificate authority to confirm if any conflicting certificates are preventing the node from connecting. Once the problem is tracked down, we will take the appropriate steps to fix the communication issue and connect our node to the Puppet master.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Troubleshooting Puppet Communication

Introduction

In this hands-on lab, we explore the reasons why a node with the Puppet agent is unable to connect to our Puppet master. We will start this lesson by ensuring that there are no connection issues overall and then explore using the certificate authority to confirm if any conflicting certificates are preventing the node from connecting. Once the problem is tracked down, we will take the appropriate steps to fix the communication issue and connect our node to the Puppet master.

Solution

Begin by logging in to the lab server using the credentials provided on the hands-on lab page:

 ssh cloud_user@PUBLIC_IP_ADDRESS

Replace the Issue

  1. Install Puppet on the node1 Ubuntu node using the one-command installer:

    $ curl -k https://puppet.ec2.internal:8140/packages/current/install.bash | sudo bash
  2. When prompted, input the login password.

  3. On the Puppet master, attempt to approve the cert:

    $ sudo puppetserver ca sign --all
  4. When prompted, input the login password.

    Notice that it returns with a message "no certificate request were awaiting to be signed", that is an error.

Discover the Root of the Issue

  1. Since we know that the node can connect to the Puppet master thanks to the installation command's success, we know the issue isn't related to a firewall or with any inter-node communications. So, let's see if our status message for the puppet service tells us anything (make sure to work from the node1 node):

    $ sudo systemctl status puppet | less
  2. Now, from the Puppet master, list the available cert information:

    $ sudo puppetserver ca list --all

    Note: Revoked Certificate does not mean all certificate information has been erased from our master too.

    The output informs us of a revoked certificate's node that is identical to the one we've been working with. We've tracked down the problem!

Solve the Issue

  1. Clean the original cert from the Puppet master:

    $ sudo puppetserver ca clean --certname node1.ec2.internal
  2. We can run the following to double-check the certificate issue exists, on the node1node to restart, run:

    $ sudo systemctl restart puppet

    Note: A restart does not automatically regenerate certificates.

  3. Next, view the status with:

    $ sudo systemctl status puppet

    The same error should be encountered, indicating that the certificate is not functioning.

  4. Switch to rootwith:

    $ sudo -i
  5. Remove the existing certificate information from the node1 node:

    ~# rm -r $(puppet agent --configprint ssldir)
  6. We can run the following to view the location:

    ~# puppet agent --configprint ssldir
  7. To see if the directory is gone, use the ls command:

    ~# ls /etc/puppetlabs/puppet/ssl
  8. While still under root and on node1, generate new certs for the node:

    ~# puppet agent -t

    Note: The output should indicate that a new SSL key was created.

  9. Sign the cert on the Puppet master:

    $ sudo puppetserver ca sign --certname node1.ec2.internal

    We should see a message indicating that the signed certificate request was successful.

  10. It is optional to verify further, but we can confirm it worked by performing a puppet run against the node1 node:

    ~# puppet agent -t

Conclusion

Congratulations - you've completed this hands-on lab!