Managing existing hosts

Indeed you are, although it's well hidden, I grant you :slight_smile:

http://theforeman.org/manuals/1.5/index.html#3.5.5FactsandtheENC

Scroll down to "Creating hosts in Foreman with facts" - essentially
the point is that to import an existing host into Foreman, you just
run the Puppet agent on it. When the facts and report are submitted to
Foreman, it will create a new host for you if it cannot match the data
to an existing host.

With regard to certificates, this method does require you already have
a certificate in place, of course. Foreman will manage signing of
certificates for machines it provisioned, but it can't do that for
pre-existing hosts, so yes, you'll need to sort out the certs.

Hope that helps,
Greg

路路路 On 26 July 2014 00:15, Geoff Johnson wrote: > Am I missing something?

Thanks for that, I'll admit that I glossed right over that section when
reading the docs because I didn't know what ENC was.

What's interesting is that in my setup this was already done for me, I've
added a host and when I review the YAML the url contains
"鈥xternalNodes?name=test.domain.net", but when I test it at the command
line as the manual suggests I get the error:

No such file or directory - /var/lib/puppet/yaml/facts/test.domain.net.yaml

I've set this up on Fedora 19 using the repository and have almost no
special configuration except for adding some puppet classes and doing the
basic setup for provisioning.

Thanks again.

路路路 On Saturday, 26 July 2014 02:57:00 UTC-7, Greg Sutcliffe wrote: > > On 26 July 2014 00:15, Geoff Johnson <geoff....@coanda.ca > > wrote: > > Am I missing something? > > Indeed you are, although it's well hidden, I grant you :) > > http://theforeman.org/manuals/1.5/index.html#3.5.5FactsandtheENC > > Scroll down to "Creating hosts in Foreman with facts" - essentially > the point is that to import an existing host into Foreman, you just > run the Puppet agent on it. When the facts and report are submitted to > Foreman, it will create a new host for you if it cannot match the data > to an existing host. > > With regard to certificates, this method does require you already have > a certificate in place, of course. Foreman will manage signing of > certificates for machines it provisioned, but it can't do that for > pre-existing hosts, so yes, you'll need to sort out the certs. > > Hope that helps, > Greg >

If the puppet agent hasn't run at least once, then this is expected -
the puppetmaster caches the facts sent by the local system when the
agent run begins, and we exploit that cache to have the ENC script
upload the facts to Foreman. As such, if puppet hasn't run yet, the
cache won't exist.

Greg

路路路 On 26 July 2014 18:04, Geoff Johnson wrote: > Thanks for that, I'll admit that I glossed right over that section when > reading the docs because I didn't know what ENC was. > > What's interesting is that in my setup this was already done for me, I've > added a host and when I review the YAML the url contains > "...externalNodes?name=test.domain.net", but when I test it at the command > line as the manual suggests I get the error: > > No such file or directory - /var/lib/puppet/yaml/facts/test.domain.net.yaml > > I've set this up on Fedora 19 using the repository and have almost no > special configuration except for adding some puppet classes and doing the > basic setup for provisioning.

> With regard to certificates, this method does require you already have
> a certificate in place, of course. Foreman will manage signing of
> certificates for machines it provisioned, but it can't do that for
> pre-existing hosts, so yes, you'll need to sort out the certs.

You'll find the signing - requests also in Forman on the SmartProxy-Page,
as soon as you ran puppet once on the existing host. Simply click on the
certificates action at the right end of your SmartProxy listed. Then you
get a list of all known certs and certificate-requests. Simply click on the
sign button and run puppet again on your host.

KR Jens
>
> Hope that helps,
> Greg
>
> 鈥
> You received this message because you are subscribed to the Google Groups
"Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.

路路路 > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout.

@Greg if I attempt to run the agent on the external host I get this:

Error: Could not request certificate: The certificate retrieved from the
master does not match the agent's private key.
Certificate fingerprint:
BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2
To fix this, remove the certificate from both the master and the agent and
then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean test.domain.net
On the agent:
rm -f /var/lib/puppet/ssl/certs/test.domain.net.pem
puppet agent -t

And this is largely why I was asking about manually dealing with
certificates.

@Jens When I access the certificate page I get this:

Warning!undefined method `gsub' for #<ActiveRecord::RecordNotFound:
ActiveRecord::RecordNotFound>

As mentioned previously this is a very minimal setup on F19 from the
repositories. Perhaps things work better by default in another distro,
CentOS maybe?

Thanks both for the help.

路路路 On Sunday, 27 July 2014 05:31:55 UTC-7, Jens Ott wrote: > > > > With regard to certificates, this method does require you already have > > a certificate in place, of course. Foreman will manage signing of > > certificates for machines it provisioned, but it can't do that for > > pre-existing hosts, so yes, you'll need to sort out the certs. > > You'll find the signing - requests also in Forman on the SmartProxy-Page, > as soon as you ran puppet once on the existing host. Simply click on the > certificates action at the right end of your SmartProxy listed. Then you > get a list of all known certs and certificate-requests. Simply click on the > sign button and run puppet again on your host. > > KR Jens > > > > Hope that helps, > > Greg > > > > -- > > You received this message because you are subscribed to the Google > Groups "Foreman users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to foreman-user...@googlegroups.com . > > To post to this group, send email to forema...@googlegroups.com > . > > Visit this group at http://groups.google.com/group/foreman-users. > > For more options, visit https://groups.google.com/d/optout. >

Full trace is this:

NoMethodError
*undefined method gsub&#39; for #&lt;ActiveRecord::RecordNotFound: ActiveRecord::RecordNotFound&gt;* app/controllers/application_controller.rb:172:inerror'
app/controllers/puppetca_controller.rb:17:in rescue in index&#39; app/controllers/puppetca_controller.rb:7:inindex'
app/models/concerns/foreman/thread_session.rb:33:in clear_thread&#39; lib/middleware/catch_json_parse_errors.rb:9:incall'

I came across this issue Bug #6402: Using "run puppet" feature fails: undefined method `gsub' for #<Array ...> - Foreman and
tried the suggested fix to the puppet auth.conf file, which for me didn't
work.

路路路 On Sunday, 27 July 2014 10:12:22 UTC-7, Geoff Johnson wrote: > > @Greg if I attempt to run the agent on the external host I get this: > > Error: Could not request certificate: The certificate retrieved from the > master does not match the agent's private key. > Certificate fingerprint: > BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2 > To fix this, remove the certificate from both the master and the agent and > then start a puppet run, which will automatically regenerate a certficate. > On the master: > puppet cert clean test.domain.net > On the agent: > rm -f /var/lib/puppet/ssl/certs/test.domain.net.pem > puppet agent -t > > And this is largely why I was asking about manually dealing with > certificates. > > > @Jens When I access the certificate page I get this: > > Warning!undefined method `gsub' for # ActiveRecord::RecordNotFound> > > As mentioned previously this is a very minimal setup on F19 from the > repositories. Perhaps things work better by default in another distro, > CentOS maybe? > > Thanks both for the help. > > On Sunday, 27 July 2014 05:31:55 UTC-7, Jens Ott wrote: >> >> >> > With regard to certificates, this method does require you already have >> > a certificate in place, of course. Foreman will manage signing of >> > certificates for machines it provisioned, but it can't do that for >> > pre-existing hosts, so yes, you'll need to sort out the certs. >> >> You'll find the signing - requests also in Forman on the SmartProxy-Page, >> as soon as you ran puppet once on the existing host. Simply click on the >> certificates action at the right end of your SmartProxy listed. Then you >> get a list of all known certs and certificate-requests. Simply click on the >> sign button and run puppet again on your host. >> >> KR Jens >> > >> > Hope that helps, >> > Greg >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Foreman users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to foreman-user...@googlegroups.com. >> > To post to this group, send email to forema...@googlegroups.com. >> > Visit this group at http://groups.google.com/group/foreman-users. >> > For more options, visit https://groups.google.com/d/optout. >> >

That would be expected if you're had a working master/agent setup and
then pointed the agent at a new master. Try performing the steps
listed :slight_smile:

The gsub error is interesting, it implies some odd characters in one
of your cert names. The resukt of "puppet cert -la" on your master
would probably be relevant, if you can provide it.

Greg

路路路 On 27 July 2014 18:12, Geoff Johnson wrote: > @Greg if I attempt to run the agent on the external host I get this: > > Error: Could not request certificate: The certificate retrieved from the > master does not match the agent's private key. > Certificate fingerprint: > BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2 > To fix this, remove the certificate from both the master and the agent and > then start a puppet run, which will automatically regenerate a certficate. > On the master: > puppet cert clean test.domain.net > On the agent: > rm -f /var/lib/puppet/ssl/certs/test.domain.net.pem > puppet agent -t > > And this is largely why I was asking about manually dealing with > certificates.

When you suggest performing the steps listed are you referring to the
documentation? If so that's exactly what I've done, except that all of the
puppetmaster configuration for node.rb was already done exactly as it
should have been, presumably by the installer.

The listing of the certificates on the master is

[root@foreman ~]# puppet cert -la
"test.domain.net" (SHA256)
CD:EB:F8:58:B8:93:EA:D0:C6:9C:1F:22:1C:C4:AF:1A:BC:A5:74:E0:ED:A4:8D:0A:27:C0:9E:AE:96:B3:AE:36

  • "foreman.domain.net" (SHA256)
    BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2
    (alt names: "DNS:foreman.domain.net", "DNS:puppet", "DNS:puppet.domain.net")

The only thing I find curious is the inclusion of the DNS alt names for
puppet, I never suggested those. I wonder if it would help if I added them
as entries to the hosts file.

路路路 On Sunday, 27 July 2014 10:58:56 UTC-7, Greg Sutcliffe wrote: > > On 27 July 2014 18:12, Geoff Johnson <geoff....@coanda.ca > > wrote: > > @Greg if I attempt to run the agent on the external host I get this: > > > > Error: Could not request certificate: The certificate retrieved from the > > master does not match the agent's private key. > > Certificate fingerprint: > > > BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2 > > > To fix this, remove the certificate from both the master and the agent > and > > then start a puppet run, which will automatically regenerate a > certficate. > > On the master: > > puppet cert clean test.domain.net > > On the agent: > > rm -f /var/lib/puppet/ssl/certs/test.domain.net.pem > > puppet agent -t > > > > And this is largely why I was asking about manually dealing with > > certificates. > > That would be expected if you're had a working master/agent setup and > then pointed the agent at a new master. Try performing the steps > listed :) > > The gsub error is interesting, it implies some odd characters in one > of your cert names. The resukt of "puppet cert -la" on your master > would probably be relevant, if you can provide it. > > Greg >

Something else that I just realized, but I'm not sure if it matters, is
that the puppetmaster service shown by systemctl isn't running and the logs
have

[2014-07-26 17:27:18] INFO ruby 2.0.0 (2013-11-22) [x86_64-linux]
[2014-07-26 17:27:18] WARN TCPServer Error: Address already in use -
bind(2)

I did a quick search on it and there's some forum posts that say if it's
already running under passenger (which I think Foreman does) then
puppetmaster doesn't need to be running, but that seems dubious.

路路路 On Sunday, 27 July 2014 11:15:11 UTC-7, Geoff Johnson wrote: > > When you suggest performing the steps listed are you referring to the > documentation? If so that's exactly what I've done, except that all of the > puppetmaster configuration for node.rb was already done exactly as it > should have been, presumably by the installer. > > The listing of the certificates on the master is > > [root@foreman ~]# puppet cert -la > "test.domain.net" (SHA256) > CD:EB:F8:58:B8:93:EA:D0:C6:9C:1F:22:1C:C4:AF:1A:BC:A5:74:E0:ED:A4:8D:0A:27:C0:9E:AE:96:B3:AE:36 > + "foreman.domain.net" (SHA256) > BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2 > (alt names: "DNS:foreman.domain.net", "DNS:puppet", "DNS:puppet.domain.net > ") > > The only thing I find curious is the inclusion of the DNS alt names for > puppet, I never suggested those. I wonder if it would help if I added them > as entries to the hosts file. > > On Sunday, 27 July 2014 10:58:56 UTC-7, Greg Sutcliffe wrote: >> >> On 27 July 2014 18:12, Geoff Johnson wrote: >> > @Greg if I attempt to run the agent on the external host I get this: >> > >> > Error: Could not request certificate: The certificate retrieved from >> the >> > master does not match the agent's private key. >> > Certificate fingerprint: >> > >> BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2 >> >> > To fix this, remove the certificate from both the master and the agent >> and >> > then start a puppet run, which will automatically regenerate a >> certficate. >> > On the master: >> > puppet cert clean test.domain.net >> > On the agent: >> > rm -f /var/lib/puppet/ssl/certs/test.domain.net.pem >> > puppet agent -t >> > >> > And this is largely why I was asking about manually dealing with >> > certificates. >> >> That would be expected if you're had a working master/agent setup and >> then pointed the agent at a new master. Try performing the steps >> listed :) >> >> The gsub error is interesting, it implies some odd characters in one >> of your cert names. The resukt of "puppet cert -la" on your master >> would probably be relevant, if you can provide it. >> >> Greg >> >

I just realized the date on the log output, clearly not related.

路路路 On Sunday, 27 July 2014 11:23:21 UTC-7, Geoff Johnson wrote: > > Something else that I just realized, but I'm not sure if it matters, is > that the puppetmaster service shown by systemctl isn't running and the logs > have > > [2014-07-26 17:27:18] INFO ruby 2.0.0 (2013-11-22) [x86_64-linux] > [2014-07-26 17:27:18] WARN TCPServer Error: Address already in use - > bind(2) > > I did a quick search on it and there's some forum posts that say if it's > already running under passenger (which I think Foreman does) then > puppetmaster doesn't need to be running, but that seems dubious. > > On Sunday, 27 July 2014 11:15:11 UTC-7, Geoff Johnson wrote: >> >> When you suggest performing the steps listed are you referring to the >> documentation? If so that's exactly what I've done, except that all of the >> puppetmaster configuration for node.rb was already done exactly as it >> should have been, presumably by the installer. >> >> The listing of the certificates on the master is >> >> [root@foreman ~]# puppet cert -la >> "test.domain.net" (SHA256) >> CD:EB:F8:58:B8:93:EA:D0:C6:9C:1F:22:1C:C4:AF:1A:BC:A5:74:E0:ED:A4:8D:0A:27:C0:9E:AE:96:B3:AE:36 >> + "foreman.domain.net" (SHA256) >> BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2 >> (alt names: "DNS:foreman.domain.net", "DNS:puppet", "DNS:puppet. >> domain.net") >> >> The only thing I find curious is the inclusion of the DNS alt names for >> puppet, I never suggested those. I wonder if it would help if I added them >> as entries to the hosts file. >> >> On Sunday, 27 July 2014 10:58:56 UTC-7, Greg Sutcliffe wrote: >>> >>> On 27 July 2014 18:12, Geoff Johnson wrote: >>> > @Greg if I attempt to run the agent on the external host I get this: >>> > >>> > Error: Could not request certificate: The certificate retrieved from >>> the >>> > master does not match the agent's private key. >>> > Certificate fingerprint: >>> > >>> BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2 >>> >>> > To fix this, remove the certificate from both the master and the agent >>> and >>> > then start a puppet run, which will automatically regenerate a >>> certficate. >>> > On the master: >>> > puppet cert clean test.domain.net >>> > On the agent: >>> > rm -f /var/lib/puppet/ssl/certs/test.domain.net.pem >>> > puppet agent -t >>> > >>> > And this is largely why I was asking about manually dealing with >>> > certificates. >>> >>> That would be expected if you're had a working master/agent setup and >>> then pointed the agent at a new master. Try performing the steps >>> listed :) >>> >>> The gsub error is interesting, it implies some odd characters in one >>> of your cert names. The resukt of "puppet cert -la" on your master >>> would probably be relevant, if you can provide it. >>> >>> Greg >>> >>

I was able to fix the gsub error and sign certificates as @Jens suggested
by making the appropriate sudo edits as suggested in the manual. So now the
how shows up with a signed certificate, but the agent still spits out the
same error as before about not being able to request the certificate. I
wonder if that's because the puppetmaster service has failed on foreman.
Unfortunately I can't seem to find any logs that suggest what the problem
is.

路路路 On Sunday, 27 July 2014 11:28:41 UTC-7, Geoff Johnson wrote: > > I just realized the date on the log output, clearly not related. > > On Sunday, 27 July 2014 11:23:21 UTC-7, Geoff Johnson wrote: >> >> Something else that I just realized, but I'm not sure if it matters, is >> that the puppetmaster service shown by systemctl isn't running and the logs >> have >> >> [2014-07-26 17:27:18] INFO ruby 2.0.0 (2013-11-22) [x86_64-linux] >> [2014-07-26 17:27:18] WARN TCPServer Error: Address already in use - >> bind(2) >> >> I did a quick search on it and there's some forum posts that say if it's >> already running under passenger (which I think Foreman does) then >> puppetmaster doesn't need to be running, but that seems dubious. >> >> On Sunday, 27 July 2014 11:15:11 UTC-7, Geoff Johnson wrote: >>> >>> When you suggest performing the steps listed are you referring to the >>> documentation? If so that's exactly what I've done, except that all of the >>> puppetmaster configuration for node.rb was already done exactly as it >>> should have been, presumably by the installer. >>> >>> The listing of the certificates on the master is >>> >>> [root@foreman ~]# puppet cert -la >>> "test.domain.net" (SHA256) >>> CD:EB:F8:58:B8:93:EA:D0:C6:9C:1F:22:1C:C4:AF:1A:BC:A5:74:E0:ED:A4:8D:0A:27:C0:9E:AE:96:B3:AE:36 >>> + "foreman.domain.net" (SHA256) >>> BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2 >>> (alt names: "DNS:foreman.domain.net", "DNS:puppet", "DNS:puppet. >>> domain.net") >>> >>> The only thing I find curious is the inclusion of the DNS alt names for >>> puppet, I never suggested those. I wonder if it would help if I added them >>> as entries to the hosts file. >>> >>> On Sunday, 27 July 2014 10:58:56 UTC-7, Greg Sutcliffe wrote: >>>> >>>> On 27 July 2014 18:12, Geoff Johnson wrote: >>>> > @Greg if I attempt to run the agent on the external host I get this: >>>> > >>>> > Error: Could not request certificate: The certificate retrieved from >>>> the >>>> > master does not match the agent's private key. >>>> > Certificate fingerprint: >>>> > >>>> BE:53:57:4A:20:FF:0B:21:8E:D2:61:09:2E:B5:27:40:E7:3E:71:22:7F:08:25:FD:8E:41:9A:47:4F:96:57:A2 >>>> >>>> > To fix this, remove the certificate from both the master and the >>>> agent and >>>> > then start a puppet run, which will automatically regenerate a >>>> certficate. >>>> > On the master: >>>> > puppet cert clean test.domain.net >>>> > On the agent: >>>> > rm -f /var/lib/puppet/ssl/certs/test.domain.net.pem >>>> > puppet agent -t >>>> > >>>> > And this is largely why I was asking about manually dealing with >>>> > certificates. >>>> >>>> That would be expected if you're had a working master/agent setup and >>>> then pointed the agent at a new master. Try performing the steps >>>> listed :) >>>> >>>> The gsub error is interesting, it implies some odd characters in one >>>> of your cert names. The resukt of "puppet cert -la" on your master >>>> would probably be relevant, if you can provide it. >>>> >>>> Greg >>>> >>>

I'm referring to the output of the command, as you put in your
previous post - i.e cleaning the cert on both the agent (via rm -rf
/var/lib/puppet/ssl) and the master (via puppet cert -c), which should
then allow the agent to create a clean CSR on the next agent run,
which you can then sign.

Glad you got the proxy sorted, it's interesting that it would cause
that error. We should handle that better, please feel free to open an
issue with all the aapropriate info.

Puppet does indeed run under passenger by default in our setup, so the
service will say it's stopped (which is true, since it wasn't started
via the init script, nor is there a separate pid for the service to
check). The log you showed, however, is actually from the
foreman-proxy service, and the Address in use error is harmless.

Greg

路路路 On 27 July 2014 19:15, Geoff Johnson wrote: > When you suggest performing the steps listed are you referring to the > documentation?

Oh, no, I hadn't done that because I wasn't sure if that's something that I
should be doing manually or not. Will Foreman safely reflect any changes
that are made by puppet at the command line?

路路路 On Sunday, 27 July 2014 15:47:58 UTC-7, Greg Sutcliffe wrote: > > On 27 July 2014 19:15, Geoff Johnson <geoff....@coanda.ca > > wrote: > > When you suggest performing the steps listed are you referring to the > > documentation? > > I'm referring to the output of the command, as you put in your > previous post - i.e cleaning the cert on both the agent (via rm -rf > /var/lib/puppet/ssl) and the master (via puppet cert -c), which should > then allow the agent to create a clean CSR on the next agent run, > which you can then sign. > > Glad you got the proxy sorted, it's interesting that it would cause > that error. We should handle that better, please feel free to open an > issue with all the aapropriate info. > > Puppet does indeed run under passenger by default in our setup, so the > service will say it's stopped (which is true, since it wasn't started > via the init script, nor is there a separate pid for the service to > check). The log you showed, however, is actually from the > foreman-proxy service, and the Address in use error is harmless. > > Greg >

I thought I'd give the commands that were suggested a try, so I did

on foreman:

[root@foreman ~]# puppet cert clean foreman.domain.net
Notice: Revoked certificate with serial 2
Notice: Removing file Puppet::SSL::Certificate foreman.domain.net at
'/var/lib/puppet/ssl/ca/signed/foreman.domain.net.pem'
Notice: Removing file Puppet::SSL::Certificate foreman.domain.net at
'/var/lib/puppet/ssl/certs/foreman.domain.net.pem'
Notice: Removing file Puppet::SSL::Key foreman.domain.net at
'/var/lib/puppet/ssl/private_keys/foreman.domain.net.pem'

and on the test agent:

[root@crdc-02-0124 ~]# rm -f /var/lib/puppet/ssl/certs/foreman.domain.net
.pem
[root@crdc-02-0124 ~]# puppet agent -t
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for foreman.domain.net
Info: Certificate Request fingerprint (SHA256):
D0:37:5E:04:87:55:C7:4F:F2:24:09:2E:7A:58:35:F7:7A:46:AA:6A:57:46:30:85:D1:E3:03:D4:FE:94:97:DD
Exiting; no certificate found and waitforcert is disabled

and then I went to the foreman web interface under smart proxies and tried
to bring up the certificates section again and I get:

NoMethodError
*undefined method gsub&#39; for #&lt;ActiveRecord::RecordNotFound: ActiveRecord::RecordNotFound&gt;* app/controllers/application_controller.rb:172:inerror'
app/controllers/puppetca_controller.rb:17:in rescue in index&#39; app/controllers/puppetca_controller.rb:7:inindex'
app/models/concerns/foreman/thread_session.rb:33:in clear_thread&#39; lib/middleware/catch_json_parse_errors.rb:9:incall'

I took a snapshot before this so I'll be reverting back now.

路路路 On Sunday, 27 July 2014 16:21:57 UTC-7, Geoff Johnson wrote: > > Oh, no, I hadn't done that because I wasn't sure if that's something that > I should be doing manually or not. Will Foreman safely reflect any changes > that are made by puppet at the command line? > > On Sunday, 27 July 2014 15:47:58 UTC-7, Greg Sutcliffe wrote: >> >> On 27 July 2014 19:15, Geoff Johnson wrote: >> > When you suggest performing the steps listed are you referring to the >> > documentation? >> >> I'm referring to the output of the command, as you put in your >> previous post - i.e cleaning the cert on both the agent (via rm -rf >> /var/lib/puppet/ssl) and the master (via puppet cert -c), which should >> then allow the agent to create a clean CSR on the next agent run, >> which you can then sign. >> >> Glad you got the proxy sorted, it's interesting that it would cause >> that error. We should handle that better, please feel free to open an >> issue with all the aapropriate info. >> >> Puppet does indeed run under passenger by default in our setup, so the >> service will say it's stopped (which is true, since it wasn't started >> via the init script, nor is there a separate pid for the service to >> check). The log you showed, however, is actually from the >> foreman-proxy service, and the Address in use error is harmless. >> >> Greg >> >

I couldn't really say how I did it but I managed to get it to work by using
a combination of puppet cert/sign/鈥揼enerate and running the agent
repeatedly until all of the errors disappeared. In the end I think I did
the following

on master:

puppet cert clean --all

on agent:

rm -rf /var/lib/puppet/ssl/*

on master:

puppet cert --generate foreman.coanda.local
systemctl restart httpd
systemctl restart puppet
puppet cert sign foreman.coanda.local

on agent:

puppet agent --test

But I wasn't really using a methodical approach by this point so I can't be
certain. I was loosely trying to follow these:



Fortunately the majority of what I'll be using Foreman for is provisioning
and the hosts seem to register fine when they get added that way.

路路路 On Sunday, 27 July 2014 16:35:28 UTC-7, Geoff Johnson wrote: > > I thought I'd give the commands that were suggested a try, so I did > > on foreman: > > [root@foreman ~]# puppet cert clean foreman.domain.net > Notice: Revoked certificate with serial 2 > Notice: Removing file Puppet::SSL::Certificate foreman.domain.net at > '/var/lib/puppet/ssl/ca/signed/foreman.domain.net.pem' > Notice: Removing file Puppet::SSL::Certificate foreman.domain.net at > '/var/lib/puppet/ssl/certs/foreman.domain.net.pem' > Notice: Removing file Puppet::SSL::Key foreman.domain.net at > '/var/lib/puppet/ssl/private_keys/foreman.domain.net.pem' > > and on the test agent: > > [root@crdc-02-0124 ~]# rm -f /var/lib/puppet/ssl/certs/foreman.domain.net > .pem > [root@crdc-02-0124 ~]# puppet agent -t > Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml > Info: Creating a new SSL certificate request for foreman.domain.net > Info: Certificate Request fingerprint (SHA256): > D0:37:5E:04:87:55:C7:4F:F2:24:09:2E:7A:58:35:F7:7A:46:AA:6A:57:46:30:85:D1:E3:03:D4:FE:94:97:DD > Exiting; no certificate found and waitforcert is disabled > > and then I went to the foreman web interface under smart proxies and tried > to bring up the certificates section again and I get: > > *NoMethodError* > *undefined method `gsub' for # ActiveRecord::RecordNotFound>* > app/controllers/application_controller.rb:172:in `error' > app/controllers/puppetca_controller.rb:17:in `rescue in index' > app/controllers/puppetca_controller.rb:7:in `index' > app/models/concerns/foreman/thread_session.rb:33:in `clear_thread' > lib/middleware/catch_json_parse_errors.rb:9:in `call' > > I took a snapshot before this so I'll be reverting back now. > > On Sunday, 27 July 2014 16:21:57 UTC-7, Geoff Johnson wrote: >> >> Oh, no, I hadn't done that because I wasn't sure if that's something that >> I should be doing manually or not. Will Foreman safely reflect any changes >> that are made by puppet at the command line? >> >> On Sunday, 27 July 2014 15:47:58 UTC-7, Greg Sutcliffe wrote: >>> >>> On 27 July 2014 19:15, Geoff Johnson wrote: >>> > When you suggest performing the steps listed are you referring to the >>> > documentation? >>> >>> I'm referring to the output of the command, as you put in your >>> previous post - i.e cleaning the cert on both the agent (via rm -rf >>> /var/lib/puppet/ssl) and the master (via puppet cert -c), which should >>> then allow the agent to create a clean CSR on the next agent run, >>> which you can then sign. >>> >>> Glad you got the proxy sorted, it's interesting that it would cause >>> that error. We should handle that better, please feel free to open an >>> issue with all the aapropriate info. >>> >>> Puppet does indeed run under passenger by default in our setup, so the >>> service will say it's stopped (which is true, since it wasn't started >>> via the init script, nor is there a separate pid for the service to >>> check). The log you showed, however, is actually from the >>> foreman-proxy service, and the Address in use error is harmless. >>> >>> Greg >>> >>

> I thought I'd give the commands that were suggested a try, so I did
>
> on foreman:
>
> [root@foreman ~]# puppet cert clean foreman.domain.net
> Notice: Revoked certificate with serial 2
> Notice: Removing file Puppet::SSL::Certificate foreman.domain.net at
> '/var/lib/puppet/ssl/ca/signed/foreman.domain.net.pem'
> Notice: Removing file Puppet::SSL::Certificate foreman.domain.net at
> '/var/lib/puppet/ssl/certs/foreman.domain.net.pem'
> Notice: Removing file Puppet::SSL::Key foreman.domain.net at
> '/var/lib/puppet/ssl/private_keys/foreman.domain.net.pem'
>
> and on the test agent:
>
> [root@crdc-02-0124 ~]# rm -f
> /var/lib/puppet/ssl/certs/foreman.domain.net.pem
> [root@crdc-02-0124 ~]# puppet agent -t
> Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
> Info: Creating a new SSL certificate request for foreman.domain.net
> Info: Certificate Request fingerprint (SHA256):
> D0:37:5E:04:87:55:C7:4F:F2:24:09:2E:7A:58:35:F7:7A:46:AA:6A:57:46:30:85:D1:E3:03:D4:FE:94:97:DD
> Exiting; no certificate found and waitforcert is disabled

That all looks fine up to here.

> and then I went to the foreman web interface under smart proxies and tried
> to bring up the certificates section again and I get:

Ah the gsub error again, i'm still uclear on why you're getting that.
Fortunatly it's entirely foreman-side, so if you just sign the cert as
normal (puppet cert -s 鈥) then everything should work fine. As I
said earlier, you're expected to manage certs in whatever way you like
for hosts that Foreman didn't build, so Foreman won't care how it
get's signed.

For reference, the page you're failing to load will have no effect on
Foreman's general operation, it's just a handy extra to save you
having to log into the puppet master for the occasional cert signing
action. You can always use the commandline puppet tools for cert
management, as Foreman (re-)parses the puppet data as required, rather
than maintaining it's own copy of the certificate list.

路路路 On 28 July 2014 00:35, Geoff Johnson wrote:

Ah, missed your last reply. Yes, thats exactly the process I would
have used myself - you're bang on track. See my previous reply for why
that is the case, glad it's all working :slight_smile:

Greg

Okay, it's good to have that confirmation. Thanks a lot for all of your
(and everyone else's) help.

路路路 On Monday, 28 July 2014 02:05:12 UTC-7, Greg Sutcliffe wrote: > > Ah, missed your last reply. Yes, thats exactly the process I would > have used myself - you're bang on track. See my previous reply for why > that is the case, glad it's all working :) > > Greg >