Tag Archives: puppet

I’m happy to see that PuppetLabs recently released an AskBot site at ask.puppetlabs.com.  AskBot is a Q&A site ripped off from very similar to StackOverflow.  PuppetLab’s site is still in beta, but there are already several good questions being asked and answered.

Puppet questions are typically answered in IRC, or through the mailing list.  Rolling out AskBot is a welcome change that will serve to help new users, and collect answers to common questions for reference in the future.



Puppet Enterprise and PuppetDB – Failed to submit ‘replace facts’ command

I’m working on setting up PuppetDB for the first time with a Puppet Enterprise master.  For my purposes, the PuppetDB node is a separate server from my master.

When trying to sync the agent on my master for the first time, I got an error while connecting to PuppetDB.

Jan 18 23:34:52 ubuntu puppet-agent[4023]: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for puppetclient.domain.com to PuppetDB at puppetdb.domain.com:8081: Certname "/o=*.domain.com/ou=domain control validated*.domain.com" must not contain unprintable or non-ASCII characters<br />

I tried recreating my keystore and truststore files in /etc/puppetlabs/puppetdb/ssl, but I kept getting the same error.

After some digging, I found a script: /opt/puppet/sbin/puppetdb-ssl-setup.

I tried running this script, but it kept complaining with the following error.

root@puppetclient:/opt/puppet/sbin# ./puppetdb-ssl-setup<br />cp: cannot stat `/etc/puppetlabs/puppet/ssl/private_keys/puppetclient.pem': No such file or directory

Thoroughly frustrated, I dug into the script and found the problem.

fqdn=`facter fqdn`
# use hostname if fqdn is not available
if [ ! -n "$fqdn" ] ; then
    fqdn=`facter hostname`

When I had setup my puppetclient server, I didn’t bother to configure DNS.  I had created an entry for puppetdb.domain.com in /etc/hosts, and had manually specified puppetclient.domain.com in my puppet.conf file.

During the initial Puppet Enterprise setup process, /etc/puppetlabs/puppet/ssl/private_keys/puppetclient.domain.com.pem had been created, but without DNS, `facter fqdn` was returning nil, so puppetdb-ssl-setup was using `facter hostname` instead.  Since /etc/puppetlabs/puppet/ssl/private_keys/puppetclient.pem didn’t exist, the script failed.

After configuring DNS, `facter fqdn` correctly returned puppetclient.domain.com, and puppetdb-ssl-setup completed successfully, allowing my puppet agent to successfully connect to puppetdb on sync.

The initial problem seems to be a bug with the way the puppet agent handles the certificate validation.  I was not able to use a keystore.jks file made from a valid cert from Thawte, but using puppetdb-ssl-setup proved to be an effective way to get things moving.

Of course, I found these sites after I had solved the issue.

Tagged ,