I’m working on setting up PuppetDB for the first time with a Puppet Enterprise master. For my purposes, the PuppetDB node is a separate server from my master.
When trying to sync the agent on my master for the first time, I got an error while connecting to PuppetDB.
Jan 18 23:34:52 ubuntu puppet-agent: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for puppetclient.domain.com to PuppetDB at puppetdb.domain.com:8081: Certname "/o=*.domain.com/ou=domain control validated*.domain.com" must not contain unprintable or non-ASCII characters<br />
I tried recreating my keystore and truststore files in /etc/puppetlabs/puppetdb/ssl, but I kept getting the same error.
After some digging, I found a script: /opt/puppet/sbin/puppetdb-ssl-setup.
I tried running this script, but it kept complaining with the following error.
root@puppetclient:/opt/puppet/sbin# ./puppetdb-ssl-setup<br />cp: cannot stat `/etc/puppetlabs/puppet/ssl/private_keys/puppetclient.pem': No such file or directory
Thoroughly frustrated, I dug into the script and found the problem.
fqdn=`facter fqdn` # use hostname if fqdn is not available if [ ! -n "$fqdn" ] ; then fqdn=`facter hostname` fi
When I had setup my puppetclient server, I didn’t bother to configure DNS. I had created an entry for puppetdb.domain.com in /etc/hosts, and had manually specified puppetclient.domain.com in my puppet.conf file.
During the initial Puppet Enterprise setup process, /etc/puppetlabs/puppet/ssl/private_keys/puppetclient.domain.com.pem had been created, but without DNS, `facter fqdn` was returning nil, so puppetdb-ssl-setup was using `facter hostname` instead. Since /etc/puppetlabs/puppet/ssl/private_keys/puppetclient.pem didn’t exist, the script failed.
After configuring DNS, `facter fqdn` correctly returned puppetclient.domain.com, and puppetdb-ssl-setup completed successfully, allowing my puppet agent to successfully connect to puppetdb on sync.
The initial problem seems to be a bug with the way the puppet agent handles the certificate validation. I was not able to use a keystore.jks file made from a valid cert from Thawte, but using puppetdb-ssl-setup proved to be an effective way to get things moving.
Of course, I found these sites after I had solved the issue.