Troubleshooting Connection and Certificate Errors on Puppet Clients
The following sections outline errors that you might encounter on Puppet clients running Junos OS. These sections also present potential causes and solutions for each error.
Puppet Client Request Certificate Error
Problem
Description: The Puppet client generates an error that it cannot request a certificate from the Puppet master.
% puppet agent --test Info: Creating a new SSL key for puppet-client.example.com Error: Could not request certificate: Invalid argument - connect(2) Exiting; failed to retrieve certificate and waitforcert is disabled
Cause
The Puppet master might not be running an instance of the puppet master process.
On the Puppet master, review the list of active processes to determine whether the puppet master process is running. The output should include the puppet process if it is already running.
[root@puppet-master ~]# ps aux | grep puppetroot 3328 0.0 0.0 103308 848 pts/0 S+ 12:42 0:00 grep puppet
Alternatively, on the Puppet client, telnet to the Puppet master on port 8140. If the puppet master process is not running, the connection fails.
% telnet puppet-master.example.com 8140Trying 198.51.100.1... telnet: connect to address 198.51.100.1: Connection refused telnet: Unable to connect to remote host
Solution
If the Puppet master is not running an instance of the puppet master process, start the process by issuing the puppet master command with any required options. Then verify that the process is running.
[root@puppet-master ~]# puppet master options[root@puppet-master ~]# ps aux | grep puppetpuppet 1785 0.0 4.4 437540 45028 ? Ssl 11:21 0:01 /opt/puppet/embedded/bin/puppet root 3328 0.0 0.0 103308 848 pts/0 S+ 12:42 0:00 grep puppet
Puppet Client No Certificate Found Error
Problem
Description: The Puppet client generates a no certificate found error and fails to download the catalog from the Puppet master.
Exiting; no certificate found and waitforcert is disabled
Cause
The error might indicate that the certificate for the Puppet client is not signed.
Solution
On the Puppet master, sign outstanding client certificate requests using the puppet cert sign command. For example:
[root@puppet-master]# puppet cert sign puppet-client.example.comNotice: Signed certificate request for puppet-client.example.com Notice: Removing file Puppet::SSL::CertificateRequest puppet-client.example.com at '/var/lib/puppet/ssl/ca/requests/puppet-client.example.com'
See the official Puppet documentation for detailed information about Puppet commands.