Puppet Enterprise and PuppetDB – Failed to submit ‘replace facts’ command

I’m working on setting up PuppetDB for the first time with a Puppet Enterprise master.  For my purposes, the PuppetDB node is a separate server from my master.

When trying to sync the agent on my master for the first time, I got an error while connecting to PuppetDB.

Jan 18 23:34:52 ubuntu puppet-agent[4023]: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for puppetclient.domain.com to PuppetDB at puppetdb.domain.com:8081: Certname "/o=*.domain.com/ou=domain control validated*.domain.com" must not contain unprintable or non-ASCII characters<br />

I tried recreating my keystore and truststore files in /etc/puppetlabs/puppetdb/ssl, but I kept getting the same error.

After some digging, I found a script: /opt/puppet/sbin/puppetdb-ssl-setup.

I tried running this script, but it kept complaining with the following error.

root@puppetclient:/opt/puppet/sbin# ./puppetdb-ssl-setup<br />cp: cannot stat `/etc/puppetlabs/puppet/ssl/private_keys/puppetclient.pem': No such file or directory

Thoroughly frustrated, I dug into the script and found the problem.

fqdn=`facter fqdn`
# use hostname if fqdn is not available
if [ ! -n "$fqdn" ] ; then
    fqdn=`facter hostname`

When I had setup my puppetclient server, I didn’t bother to configure DNS.  I had created an entry for puppetdb.domain.com in /etc/hosts, and had manually specified puppetclient.domain.com in my puppet.conf file.

During the initial Puppet Enterprise setup process, /etc/puppetlabs/puppet/ssl/private_keys/puppetclient.domain.com.pem had been created, but without DNS, `facter fqdn` was returning nil, so puppetdb-ssl-setup was using `facter hostname` instead.  Since /etc/puppetlabs/puppet/ssl/private_keys/puppetclient.pem didn’t exist, the script failed.

After configuring DNS, `facter fqdn` correctly returned puppetclient.domain.com, and puppetdb-ssl-setup completed successfully, allowing my puppet agent to successfully connect to puppetdb on sync.

The initial problem seems to be a bug with the way the puppet agent handles the certificate validation.  I was not able to use a keystore.jks file made from a valid cert from Thawte, but using puppetdb-ssl-setup proved to be an effective way to get things moving.

Of course, I found these sites after I had solved the issue.

Tagged ,

2 thoughts on “Puppet Enterprise and PuppetDB – Failed to submit ‘replace facts’ command

  1. I had exactly the same issue and just like didnt pop up in my google searches. Thanks for this!

  2. Ancillas says:

    Excellent. I’m glad it helped.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: