Re: [Puppet Users] Re: puppet master not seeing certificate signing request from agent

2018-11-01 Thread Matt Zagrabelny 
Hey Justin,

Thanks for the reply!

On Wed, Oct 31, 2018 at 10:49 PM Justin Stoller  wrote:

> What happens on the agent that is running on the master?
>

Works as expected. Thus indicting the firewall.

Digging deeper... it looks like Debian testing bit me. But I don't blame
them - I know I'm tracking a moving target.

iptables upgraded from 1.6 to 1.8 (and I didn't reboot after). There are
new semantics (iptables-legacy) and the firewall was still blocking 8140 in
the legacy mode. I've rebooted and cleared the legacy chains/tables.

Things work as expected now.

Thanks for the help and hints. It is very appreciated!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3W0ooT3P2PKbqHqLyPFN5KDEUXrTieUWvOgEn7-wzo3xg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: puppet master not seeing certificate signing request from agent

2018-10-31 Thread Justin Stoller 
What happens on the agent that is running on the master?

When running any agent here's a flag, `--http_debug` I think, that will
show you exactly what Puppet's requesting.

Seeing the output from curling the CA endpoints from the agent in question
might be helpful (both from curl's side and the master's).
See:
https://puppet.com/docs/puppet/5.5/http_api/http_certificate_request.html
and the related CA endpoints. You should be able to do a GET on
certificate/ca and certificate_revocation_list/ca

The agent's timing out doing something, running with  --trace might help
with that.

On Wed, Oct 31, 2018 at 2:12 PM Matt Zagrabelny  wrote:

>
>
> On Wed, Oct 31, 2018 at 11:23 AM Matt Zagrabelny 
> wrote:
>
>> Greetings,
>>
>> I'm running puppet 5.5.6 (Debian testing).
>>
>> I'm having issues getting the master to see the cert signing request from
>> an agent.
>>
>> The firewall isn't an issue. I see the packets hit an "allow" rule on the
>> master, but I've also turned the firewall off.
>>
>> tcpdump shows the packets reaching the server:
>>
>> 2018-10-31 11:03:19.705234 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
>> 2018-10-31 11:03:35.833194 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
>> 2018-10-31 11:04:08.345204 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
>>
>> 2607::2a = agent
>> 2607::20 = master
>>
>> I'm not seeing anything from the server:
>>
>> # puppet master --no-daemonize
>> Warning: Accessing 'ca' as a setting is deprecated.
>>(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1165:in
>> `issue_deprecation_warning')
>> Warning: The WEBrick Puppet master server is deprecated and will be
>> removed in a future release. Please use Puppet Server instead. See
>> http://links.puppet.com/deprecate-rack-webrick-servers for more
>> information.
>>(location:
>> /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main')
>> Notice: Starting Puppet master version 5.5.6
>>
>> Adding --debug or --verbose didn't seem to yield any extra log messages
>> after the "Starting Puppet master..." for when I expected a cert signing
>> request message.
>>
>> and the agent just shows an expiration:
>>
>> # puppet agent -t --server puppet-5-5
>> Warning: Setting cadir is deprecated.
>>(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in
>> `issue_deprecation_warning')
>> Error: Could not request certificate: execution expired
>> Exiting; failed to retrieve certificate and waitforcert is disabled
>>
>> Any ideas where to look next?
>>
>>
>>
> No new updates, but I wanted to add that lsof reports puppet listening:
>
> puppet25053  puppet8u  IPv4 125393  0t0  TCP *:8140
> (LISTEN)
> puppet25053  puppet9u  IPv6 125394  0t0  TCP *:8140
> (LISTEN)
>
> and I'm not seeing anything in the master log file:
>
> [2018-10-31 16:05:35] DEBUG Puppet::Network::HTTP::WEBrickREST is mounted
> on /.
> [2018-10-31 16:05:35] INFO  WEBrick::HTTPServer#start: pid=25053 port=8140
>
> Confused...
>
> -m
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAOLfK3XYkCM7c3CfB2_CuSGAZ9RFy_4Lk--Xqqc7WEM69z4oTA%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXmxwTfHmbcsnvsjspT34FKxLWoJMOipKATnn86kQa8mA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: puppet master not seeing certificate signing request from agent

2018-10-31 Thread Matt Zagrabelny 
On Wed, Oct 31, 2018 at 11:23 AM Matt Zagrabelny  wrote:

> Greetings,
>
> I'm running puppet 5.5.6 (Debian testing).
>
> I'm having issues getting the master to see the cert signing request from
> an agent.
>
> The firewall isn't an issue. I see the packets hit an "allow" rule on the
> master, but I've also turned the firewall off.
>
> tcpdump shows the packets reaching the server:
>
> 2018-10-31 11:03:19.705234 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
> 2018-10-31 11:03:35.833194 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
> 2018-10-31 11:04:08.345204 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
>
> 2607::2a = agent
> 2607::20 = master
>
> I'm not seeing anything from the server:
>
> # puppet master --no-daemonize
> Warning: Accessing 'ca' as a setting is deprecated.
>(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1165:in
> `issue_deprecation_warning')
> Warning: The WEBrick Puppet master server is deprecated and will be
> removed in a future release. Please use Puppet Server instead. See
> http://links.puppet.com/deprecate-rack-webrick-servers for more
> information.
>(location:
> /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main')
> Notice: Starting Puppet master version 5.5.6
>
> Adding --debug or --verbose didn't seem to yield any extra log messages
> after the "Starting Puppet master..." for when I expected a cert signing
> request message.
>
> and the agent just shows an expiration:
>
> # puppet agent -t --server puppet-5-5
> Warning: Setting cadir is deprecated.
>(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in
> `issue_deprecation_warning')
> Error: Could not request certificate: execution expired
> Exiting; failed to retrieve certificate and waitforcert is disabled
>
> Any ideas where to look next?
>
>
>
No new updates, but I wanted to add that lsof reports puppet listening:

puppet25053  puppet8u  IPv4 125393  0t0  TCP *:8140
(LISTEN)
puppet25053  puppet9u  IPv6 125394  0t0  TCP *:8140
(LISTEN)

and I'm not seeing anything in the master log file:

[2018-10-31 16:05:35] DEBUG Puppet::Network::HTTP::WEBrickREST is mounted
on /.
[2018-10-31 16:05:35] INFO  WEBrick::HTTPServer#start: pid=25053 port=8140

Confused...

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XYkCM7c3CfB2_CuSGAZ9RFy_4Lk--Xqqc7WEM69z4oTA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.