Auto-signing new Puppet agents with Puppetca

toad · May 16, 2019, 9:56am

Problem:

Puppet agent certificate signing request ends with a 404 error :

Expected outcome:

Puppet agent certificate signing request being signed by the Puppetca

Foreman and Proxy versions:

Foreman version : 1.21.3

Other relevant data:

Hello,

I’m trying to configure a Puppetserver + Foreman/Puppetca stack.

There is no Puppetca on the Puppetserver, the Puppetca is hosted on the same host as Foreman.

I think that most of it is well configured, I added the Puppetserver’s smart-proxy in Foreman, execution reports are correctly sent to Foreman from the Puppetserver.

The only part that fails, is the certificate signing of new Puppet agents.
New clients can contact the Puppetserver and get their catalog executed as long as their client certificate is manually generated on the Puppetca (same host as Foreman) and manually copied on the client.

I tried to configure hosts to contact directly the Foreman/Puppetca host :

user@client ~]# grep “ca_server” /etc/puppetlabs/puppet/puppet.conf
ca_server = foreman.domain.com
ca_port = 8443

But I always get this error :

[user@client ~]# /opt/puppetlabs/bin/puppet agent -t
Error: Could not request certificate: Find /puppet-ca/v1/certificate/ca?environment=production&fail_on_404=true resulted in 404 with the message: Requested url was not found
Exiting; failed to retrieve certificate and waitforcert is disabled

I guess that the foreman-proxy is well configured on the Foreman host :

[user@foreman ~]# cat /etc/foreman-proxy/settings.d/puppetca.yml
:enabled: https
:ssldir: /etc/puppetlabs/puppet/ssl
:use_provider: puppetca_hostname_whitelisting

[user@foreman ~]# cat /etc/puppetlabs/puppet/autosign.conf
*.domain.com

There must be somthing I’m missing or did not understand, can you please help me with that ?

Thanks =)

ekohl · May 16, 2019, 10:43am

This is the Foreman Proxy, but that’s not a Puppet CA server. Only an API abstraction for Foreman. You should use the real service, which is probably on the default port (8140).

toad · May 16, 2019, 10:49am

Thanks for you answer, but there is no service listening on port 8140 on the Foreman host. Any idea where to check and configure that ?

[root@foreman ~]# netstat -taupen
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 127.0.0.1:34128         0.0.0.0:*               LISTEN      998        99015      21560/Passenger Rac
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          29648      5177/sshd
tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN      998        49365      9479/ruby
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      26         44287      8756/postgres
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          30069      5455/master
tcp6       0      0 :::80                   :::*                    LISTEN      0          48410      9568/httpd
tcp6       0      0 :::22                   :::*                    LISTEN      0          29657      5177/sshd
tcp6       0      0 ::1:5432                :::*                    LISTEN      26         44286      8756/postgres
tcp6       0      0 ::1:25                  :::*                    LISTEN      0          30070      5455/master
tcp6       0      0 :::8443                 :::*                    LISTEN      997        80132      20205/ruby
tcp6       0      0 :::443                  :::*                    LISTEN      0          48406      9568/httpd
udp        0      0 0.0.0.0:69              0.0.0.0:*                           0          42353      8552/xinetd
udp6       0      0 ::1:39646               ::1:39646               ESTABLISHED 26         44298      8756/postgres

ekohl · May 16, 2019, 11:30am

You need to install puppetserver there. I notice it’s running on port 3000 which hints at a manual installation. You’re responsible for installing a Puppetserver to run the CA.

toad · May 16, 2019, 11:37am

Ok thanks for the answer, I didn’t know that a full puppetserver was mandatory to run the CA server.

toad · May 16, 2019, 12:30pm

That was it, as soon as a puppetserver was installed (no configuration needed), autosigning started working.

Thanks a lot !