Warning: Unable to fetch my node definition, but the agent run will continue:

Problem:
When adding a new node for the first time, I run “puppet agent -t”, which successfully generates a certificate signing request. After I sign the certificate on the puppetserver and go back to the agent, I run “puppet agent -t” again, and I get this message:

Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 500 on SERVER: Server Error: Failed to find xxxxxxxxxx.nevada.edu via exec: Execution of '/etc/puppetlabs/puppet/node.rb xxxxxxxxxx.nevada.edu' returned 1:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed when searching for node xxxxxxxxxx.nevada.edu: Failed to find xxxxxxxxxx.nevada.edu via exec: Execution of '/etc/puppetlabs/puppet/node.rb xxxxxxxxxx' returned 1:

If I then login to the puppetserver and enter the command from the shell, I get:

[root@zzzzzzzzz]#  /etc/puppetlabs/puppet/node.rb xxxxxxxxxx.nevada.edu
During fact upload occured an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed
/etc/puppetlabs/puppet/node.rb:383: warning: constant ::TimeoutError is deprecated
Unable to read from Cache file: No such file or directory @ rb_sysopen - /opt/puppetlabs/server/data/puppetserver/yaml/foreman/xxxxxxxxxx.nevada.edu.yaml

Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Expected outcome:
I guess I would expect there to be a ‘xxxxxxxxxx.nevada.edu.yaml’ file in the directory /opt/puppetlabs/server/data/puppetserver/yaml/foreman/

I have no idea what mechanism is supposed to put it there though. Yea, I’m fairly new to puppet and foreman… Sorry!

Foreman and Proxy versions:
Foreman according to GUI is 1.17.1. and the Puppetserver is 5.3.4. They are on separate servers. I originally installed Puppetserver and then added Foreman several months later and setup the Puppetserver as a Smart-Proxy. My problem is that everything was working correctly several weeks ago, and then this past week I started adding more nodes and I ran into this problem.

Other relevant data:
I can workaround this issue for now, by manually creating the yaml file, but this is a tedious process, and it does not upload the Facts to Foreman as it used to, so that may even be another unrelated problem.

So, I found a better workaround, but obviously not a solution. I changed 2 occurrences of this line, in node.rb:

http.verify_mode = OpenSSL::SSL::VERIFY_PEER
to
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

This allows everything to work as expected. I’m not sure if this means something with my ssl ca is expired, or what? Anyone? Bueller?

I guess this is not really a Foreman issue as I originally thought, so close it, delete it, forget it, etc…

For the record… Failure in certificate verification is usually a sign of using different certs in different places around the setup. A default install of Foreman (i.e using the installer on a clean box, so that you also get a new Puppetserver) will re-use the Puppet CA and master cert for the Foreman GUI, and thus everything would verify as they all come from the same CA.

Since you say everything was working, I would investigate if anything changed around the certs (e.g. a new Puppet CA, or similarly on your Foreman box.

So, I found a solution.

Not sure if I mentioned this before, but my Puppetserver predates my Foreman server by several months, so they are separate servers, and the node.rb version was something I downloaded from Git Hub while implementing the foreman-proxy. Also, I introduced a DigiCert certificate into the mix, so that Foreman would look legit.

With that said, at some point, whenever adding new agent nodes, I would experience this failure, which appears to be due to the fact that the Foreman certificate *.pem was signed by my puppetserver’s self-signed certificate ca.

This morning, I appended my Puppetserver’s /etc/puppetlabs/puppet/ssl/certs/ca.pem to
/etc/pki/tls/ca-bundle.crt. I restored the node.rb, so that it would verify the cert, and initial testing shows that this has fixed my issue.