Summary
If you run puppet agent -t on the server you're attempting to provision and you see errors like this, check to make sure the case of your hostname matches the certificate name in /etc/puppetlabs/puppet/ssl/certs.
Cause
If you used the default puppet.conf template in your SovLabs Puppet Agent configuration, the certname is generated using the Hostname and PrimaryDNSDomain properties. If the Hostname contains capital letters, it is written as-is into the puppet.conf, with capital letters. The issue is that puppet generates the certificate file using all lowercase letters for the file name, so the certname in puppet.conf will not match the certificate filename. Hence, the 403 errors.
Error
puppet]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 403 on SERVER: Forbidden request: /puppet/v3/node/DCV-TSTDB01.sovsystems.com (method :get). Please see the server logs for details.
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Forbidden request: /puppet/v3/file_metadatas/pluginfacts (method :get). Please see the server logs for details.
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: Error 403 on SERVER: Forbidden request: /puppet/v3/file_metadata/pluginfacts (method :get). Please see the server logs for details.
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Forbidden request: /puppet/v3/file_metadatas/plugins (method :get). Please see the server logs for details.
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: Error 403 on SERVER: Forbidden request: /puppet/v3/file_metadata/plugins (method :get). Please see the server logs for details.
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: /puppet/v3/catalog/DCV-TSTDB01.sovsystems.com (method :post). Please see the server logs for details.
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Error 403 on SERVER: Forbidden request: /puppet/v3/report/DCV-TSTDB01.sovsystems.com (method :put). Please see the server logs for details.
Solution Options
Solution 1
The easiest solution is to configure your linux servers with lowercase hostnames.
Solution 2
Enforce lowercase hostnames in the puppet.conf file content field in the SovLabs Puppet Agent Configuration by using the downcase function in the template for certname= in the puppet.conf file.
Change this:
[main]
server = {{SovLabsPuppet.puppetMasterHostname}}
[agent]
certname = {{Hostname }}.{{PrimaryDnsDomain}}
to this:
[main]
server = {{SovLabsPuppet.puppetMasterHostname}}
[agent]
certname = {{Hostname | downcase }}.{{PrimaryDnsDomain}}
This will write the puppet.conf file with the certificate name in lowercase, which will match the name of the .pem file in ~puppethome/ssl/certs.
0 Comments