Troubleshooting connections between components
If agent nodes can't retrieve configurations, check for communication, certificate, DNS , and NTP issues.
Agents can't reach the primary server
Agent nodes must be able to communicate with the primary server in order to retrieve configurations.
If agents can't reach the primary server, running telnet
<PRIMARY_HOSTNAME> 8140
returns the error "Name or service not
known."
- Verify that the primary server is reachable at a DNS name your agents recognize.
-
Verify that the
pe-puppetserver
service is running.
Agents don't have signed certificates
Agent certificates must be signed by the primary server.
If the node's Puppet agent logs have a warning about unverified peer certificates in the current SSL session, the agent has submitted a certificate signing request that hasn't yet been signed.
-
On the primary server, view a list of pending certificate requests:
puppet cert list
-
Sign a specified node's certificate:
puppetserver ca sign <NODE NAME>
Agents aren't using the primary server's valid DNS name
Agents trust the primary server only if they contact it at one of the valid hostnames specified when the primary server was installed.
On the node, if the results of puppet agent --configprint server
don't return one of the valid DNS names you chose during installation of the primary
server, the node and primary server can't establish communication.
Time is out of sync
The date and time must be in sync on the primary server's and agent nodes.
If time is out of sync on nodes, running date
returns incorrect or inconsistent dates.
Node certificates have invalid dates
The date and time must be in sync when certificates are created.
If certificates were
signed out of sync, running openssl x509
-text -noout -in $(puppet config print --section master ssldir)/certs/<NODE
NAME>.pem
returns invalid dates, such as certificates dated in the
future.
-
On the primary server, delete certificates with invalid dates:
puppetserver ca clean --certname <NODE CERT NAME>
-
On nodes with invalid certificates, delete the SSL directory:
rm -r $(puppet config print --section master ssldir)
-
On agent nodes, generate a new certificate request:
puppet agent --test
-
On the primary server, sign the request:
puppetserver ca sign <NODE NAME>
A node is re-using a certname
If a node re-uses an old node's certname and the primary server retains the previous node's certificate, the new node is unable to request a new certificate.
-
On the primary server, clear the node's certificate:
puppetserver ca clean --certname <NODE CERT NAME>
-
On agent node, generate a new certificate request:
puppet agent --test
-
On the primary server, sign the request:
puppetserver ca sign <NODE NAME>
Agents can't reach the filebucket server
If the primary server is installed with a certname that doesn't match its hostname, agents can't back up files to the filebucket on the primary server.
If agents log errors like "could not back up," nodes are likely attempting to back up files to the wrong hostname.
/etc/puppetlabs/code/environments/production/manifests/site.pp
so that
filebucket server
attribute points to the correct hostname:
# Define filebucket 'main':
filebucket { 'main':
server => '<PRIMARY_DNS_NAME>',
path => false,
}
Changing the filebucket server attribute on the primary server fixes the error on all agent nodes.
Orchestrator can't connect to PE Bolt server
Debug a faulty connection between the orchestrator and
PE
Bolt server by setting the bolt_server_loglevel
in the puppet_enterprise::profile::bolt_server
class and running
Puppet, or by manually updating loglevel
in /etc/puppetlabs/bolt-server/conf.d/bolt-server.conf
. The server logs
are located at /var/log/puppetlabs/bolt-server/bolt-server.log
.