What happens on the agent that is running on the master? When running any agent here's a flag, `--http_debug` I think, that will show you exactly what Puppet's requesting.
Seeing the output from curling the CA endpoints from the agent in question might be helpful (both from curl's side and the master's). See: https://puppet.com/docs/puppet/5.5/http_api/http_certificate_request.html and the related CA endpoints. You should be able to do a GET on certificate/ca and certificate_revocation_list/ca The agent's timing out doing something, running with --trace might help with that. On Wed, Oct 31, 2018 at 2:12 PM Matt Zagrabelny <mzagr...@d.umn.edu> wrote: > > > On Wed, Oct 31, 2018 at 11:23 AM Matt Zagrabelny <mzagr...@d.umn.edu> > wrote: > >> Greetings, >> >> I'm running puppet 5.5.6 (Debian testing). >> >> I'm having issues getting the master to see the cert signing request from >> an agent. >> >> The firewall isn't an issue. I see the packets hit an "allow" rule on the >> master, but I've also turned the firewall off. >> >> tcpdump shows the packets reaching the server: >> >> 2018-10-31 11:03:19.705234 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 >> 2018-10-31 11:03:35.833194 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 >> 2018-10-31 11:04:08.345204 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 >> >> 2607::2a = agent >> 2607::20 = master >> >> I'm not seeing anything from the server: >> >> # puppet master --no-daemonize >> Warning: Accessing 'ca' as a setting is deprecated. >> (location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1165:in >> `issue_deprecation_warning') >> Warning: The WEBrick Puppet master server is deprecated and will be >> removed in a future release. Please use Puppet Server instead. See >> http://links.puppet.com/deprecate-rack-webrick-servers for more >> information. >> (location: >> /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main') >> Notice: Starting Puppet master version 5.5.6 >> >> Adding --debug or --verbose didn't seem to yield any extra log messages >> after the "Starting Puppet master..." for when I expected a cert signing >> request message. >> >> and the agent just shows an expiration: >> >> # puppet agent -t --server puppet-5-5 >> Warning: Setting cadir is deprecated. >> (location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in >> `issue_deprecation_warning') >> Error: Could not request certificate: execution expired >> Exiting; failed to retrieve certificate and waitforcert is disabled >> >> Any ideas where to look next? >> >> >> > No new updates, but I wanted to add that lsof reports puppet listening: > > puppet 25053 puppet 8u IPv4 125393 0t0 TCP *:8140 > (LISTEN) > puppet 25053 puppet 9u IPv6 125394 0t0 TCP *:8140 > (LISTEN) > > and I'm not seeing anything in the master log file: > > [2018-10-31 16:05:35] DEBUG Puppet::Network::HTTP::WEBrickREST is mounted > on /. > [2018-10-31 16:05:35] INFO WEBrick::HTTPServer#start: pid=25053 port=8140 > > Confused... > > -m > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CAOLfK3XYkCM7c3CfB2_CuSGAZ9RFy_4Lk--Xqqc7WEM69z4oTA%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-users/CAOLfK3XYkCM7c3CfB2_CuSGAZ9RFy_4Lk--Xqqc7WEM69z4oTA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXmxwTfHmbcsnvsjspT34FKxLWoJMOipKATnn86kQa8mA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
