One of the virtual machines in my home lab has been sitting there calling out to me…”Power me up, learn more puppet….leaaaarrrn!” So, tonight, I obliged.
Until now I’ve been doing my work in the Learn Puppet VM that Puppet labs provides for free ( http://info.puppetlabs.com/download-learning-puppet-VM.html ) and have been going through their exercises over lunches and in the evenings. With my nev environment at home being more conducive to bringing up and tearing down VMs I figured it was time to get this going. My wife is now running Linux too, so I can manage that box.
Not having to have done the setup on the VM, I didn’t really consider what was going to be necessary to get it going from scratch. I figured I’d do my tests with the Master and Agent on my server itself initially and then go from there. That was the plan at least.
I just whisked away and installed (DONT DO THIS)
$sudo apt-get install puppet puppet-master
And that’s where things started to go sideways. The problems weren’t apparent until I wanted to make the agent’s SSL certificate be friendly with the master, who were actually the same box.
I was getting many errors about the certificate being incorrect, issues with my FQDN (I’ll address those in a separate post). This is because there’s some special setup that you need to go through to get them running together. Even though the PuppetVM is running puppet enterprise I took a lot of my cues from there.
We’ll start this over from the beginning rather than a “fix a broken setup” perspective.
Step 1. Install Puppet Master:
This is in the default Ubuntu 13.04 Raring repos
$sudo apt-get install puppetmaster
But then go ahead and shut it down right away and verify that it’s not running:
$sudo /etc/init.d/puppetmaster stop
$ps -ef | grep puppet
Step 2. Blow away existing SSL configuration
At the time of this writing, the default puppet SSL configuration is in /var/lib/puppet/ssl so we can just blow away that SSL directory. Yes, it’s safe to do this. Puppet will recreate this structure when we restart it.
$sudo rm -rf /var/lib/puppet/ssl
Step 3. Generate proper certificate names in puppet.conf
puppet.conf is the config file for puppet. Mine was already populated with some attributes under [main] and [master].
The two values that matter from an SSL perspective and need to be set are
I’m not running a local domain at home (yet) so I just have the hostname to worry about. These two config values should match.
Step 4. Start puppet master back up via init.d & check the cert it generated (in the newly re-generated SSL directory)
$sudo /etc/init.d/puppetmaster start && ls -l /var/lib/puppet/ssl/certs/
Step 5. Install Puppet agent
$sudo apt-get install puppet
Step 6. Use puppet agent to test connect to puppet master
Because the certs should have the same name (because we did that in step 3) this should all be “OK” already.
$sudo puppet agent --no-daemonize --onetime --verbose
Nothing should be done (because you haven’t written any classes/manifests yet) but you could do something easy like create a file or ensure NTP is configured.
Commands that were helpful in researching this issue
I didn’t actually need all of these, but they were useful in the journey
puppet cert --list
puppet cert sign
sudo openssl verify -CAfile /etc/puppet/ssl/certs/ca.pem /etc/puppet/ssl/certs/myhostname.domain.com.pem
Puppets troubleshooting documentation on certificates: http://docs.puppetlabs.com/guides/troubleshooting.html