Aha, I can answer *half* of my own question after another hour of work. The issue was the certname field in the config. Removing it makes that all work. I also removed the short hostname from dns_alt_names, since it seemed unnecessary. That leaves me only with the famous certificate mismatch problem.
... Debug: Finishing transaction 5407140 Info: Creating a new SSL key for loire.example.com Debug: Using cached certificate for ca Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet.example.com:8140 Info: Caching certificate for loire.example.com Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: EF:0B:DB:FD:8F:18:AB:DC:1F:82:BF:8B:A0:92:CB:D3:4F:0D:72:DC:F2:23:B8:A0:74:76:33:56:6E:32:1F:50 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean loire.example.com On the agent: 1a. On most platforms: find /var/lib/puppet/ssl -name loire.example.com.pem -delete 1b. On Windows: del "/var/lib/puppet/ssl/loire.example.com.pem" /f 2. puppet agent -t Exiting; failed to retrieve certificate and waitforcert is disabled 1,[T] jeff@loire:~ $ Jeff Abrahamson +33 6 24 40 01 57 +44 7920 594 255 <-- only when I'm in the UK http://ml-week.com/ <http://www.ml-week.com/>* prochaine edition, 2016* http://jeff.purple.com/ http://blog.purple.com/jeff/ On 17 February 2016 at 16:58, Jeff Abrahamson <[email protected]> wrote: > I set up a puppetserver. It's, well, not generating errors outright. > > On the same host, I want to run a puppet agent. But the agent doesn't > seem to want to use the FQDN of the host, and so it fails to connect. > > [T] jeff@loire:~ $ puppet agent --debug --test > ... > Debug: Finishing transaction 27923380 > Debug: Creating new connection for *https://puppet:8140 > <https://puppet:8140>* > Error: Could not request certificate: getaddrinfo: Name or service not > known > Exiting; failed to retrieve certificate and waitforcert is disabled > 1,[T] jeff@loire:~ $ > 1,[T] jeff@loire:~ $ cat /etc/puppet/puppet.conf > [main] > logdir=/var/log/puppet > vardir=/var/lib/puppet > ssldir=/var/lib/puppet/ssl > rundir=/var/run/puppet > factpath=$vardir/lib/facter > certname = puppet > dns_alt_names = puppet,puppet.example.com > > [master] > # These are needed when the puppetmaster is run by passenger > # and can safely be removed if webrick is used. > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > > [agent] > server = puppet.example.com > [T] jeff@loire:~ $ cat /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 ubuntu > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 139.162.147.68 loire.example.com loire > [T] jeff@loire:~ $ netstat -a | grep 8140 > tcp6 0 0 [::]:8140 [::]:* > LISTEN > [T] jeff@loire:~ $ > > > Of course, s/example/my-real-domain-name/g. Note that loire is the host's > A record, there's a CNAME called puppet. (Note that telnetting to > loire.example.com 8140 connects: the tcp6 is a netstat artefact as far as > I know.) > > Reflection, poking, and googling are drawing blanks for me. Any > suggestions ? > > > Jeff Abrahamson > +33 6 24 40 01 57 > +44 7920 594 255 <-- only when I'm in the UK > http://ml-week.com/ <http://www.ml-week.com/>* prochaine edition, > 2016* > > http://jeff.purple.com/ > http://blog.purple.com/jeff/ > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAM4Y7zzC_YUMQ%3DquSy4HzJPS3RibiVR1RVCF_DnknXmHZMByJg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
