Saturday, February 18, 2012

Puppet And Common Errors

Installing Puppet can be a nightmare at times especially if you are doing it for the first time. Error messages are not always obvious and would require some experience to understand. So this is my attempt to explain the errors and suggest the solutions.

Needless to say that step one would always be to ensure that the names are resolving and the puppet client and master can communicate. Also make sure that port 8140 is white listed. 

Error 1: err: Could not request certificate: getaddrinfo: Name or service not known
Probable Solution: Puppet client is not able to reach the puppet master. This usually happens when you are setting up a new environment and puppet master's name is not resolvable. If you can, put a relevant entry in your DNS and add a server variable in [agent] section in puppet.conf. Alternatively you can use /etc/hosts to point the client to the master but you'll have to add appropriate entries on the /etc/hosts of both the puppet master and client.

Error 2: Starting puppetmaster: Could not prepare for execution: Could not find a default provider for user
Probable Solution: This happens because of SELinux restrictions. You can fix this by running a "setenforce 0" which will turn off the SELinux. This is required for CA creation only. So you can turn on SELinux after the puppet master creates CA successfully.

Error 3: err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key
Probable Solution: Looks like your certificates have gone bad. You should remove /var/lib/puppet/ssl directory and request for new certs signed by puppet master.

Error 4: err: Could not retrieve catalog from remote server: hostname was not match with the server certificate
Probable Solution: This may happen if you are referring to the puppet master by a wrong name. In other words, the CA is not built to use this name. You can check out the correct CA name in the file /var/lib/puppet/ssl/ca/inventory.txt. You should put this name in the [agent] section assigned to server variable.

Error 5: err: Could not retrieve catalog from remote server: Connection refused - connect(2)
Probable Solution: This is happening because your puppet client is not able to connect to puppet master. One reason might be firewall which is rejecting the packets and the other reason might be that puppet master has died. So you either need to relax your firewall or make sure that your puppet master is always up and running. You may want to use daemontools or god or a similar application.

Error 6: Exiting; no certificate found and waitforcert is disabled
Probable Solution: This usually happens when a new node is introduced in the infrastructure. Issue is that this node do not have the certificate yet and since "--waitforcert" flag was not enabled, it exited immediately. If your puppet master has autosign enabled that just add the flag "--waitforcert X" with X replaced with time in seconds like 60. If autosign is not enabled then you have to sign the cert for the client manually at your puppet master.

I'll add more as I encounter them. Please let me know in comments if I am wrong anywhere. Have fun with Puppet :)

15 comments:

  1. I am having another nightmare, integrating puppet with apache or nginx. Any "spotter errors" in this area?

    ReplyDelete
  2. I did integrate puppet with apache using mod_passenger. The integration was really smooth. I used Pro Puppet by James Turnbull for reference.
    Maybe I'll write something about it soon enough.

    ReplyDelete
  3. Good article.. quite helpful...

    ReplyDelete
  4. err: Could not call sign: Could not find certificate request for old.oldandnew.com
    Could not find certificate request for old.oldandnew.com

    ReplyDelete
    Replies
    1. Check if the networknames to your master / client are resolvable, the client will not create a new certificate when it cannot find the master.

      Delete
  5. Good stuff Aditya. I am running into the following error that I am unable to resolve. any suggestion. Not sure how to handle this ssl error
    [root@525879-NMPRD-BASTION1 ~]# puppet agent --test
    notice: Ignoring --listen on onetime run
    err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=525880-giprd-bastion1.xx.int]
    warning: Not using cache on failed catalog
    err: Could not retrieve catalog; skipping run
    err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=525880-giprd-bastion1.xx.int]

    ReplyDelete
    Replies
    1. This is an SSL error. First thing to do is to make sure that time is in sync. Use NTP, if you can.
      If that doesn't solve your problem then do what is mentioned in Error 3.

      Delete
  6. when i execute this command " puppetd --verbose --waitforcert 60 --server_name --noop " i'm getting error as "Could not prepare for execution: Could not create PID file: /var/run/puppet/agent.pid"... please let me know about the solution.


    ReplyDelete
  7. am quite new to puppet and am using puppet for my openstack setup. i am getting the following error and i realize there is some issue with the syntax andi tried few combinations but it doesnt seem to work.

    Error: Could not parse /etc/puppet/puppet.conf: Could not match line
    hostname.domain hostname
    at /etc/puppet/puppet.conf:10.0.149.7 aio.ubuntu aio

    ReplyDelete
  8. As a result, each year for the Universalists dozens involving you die AND ALSO thousands more are injured as well as abused on the identify of God Just as defined universalists

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. Thanks for the post. I got the Puppet vm from the PuppetLabs and on executing any module it gives the connection refused - connect (2) error. How can this be fixed?

    ReplyDelete

Note: Only a member of this blog may post a comment.