How To Install Puppet Server and Clients

You are here:
< All Topics

What is Puppet?

 

To quote from the Wikipedia entry for Puppet:

 

Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use.

 

Puppet is produced by Puppet, Inc, founded by Luke Kanies in 2005. Puppet’s primary product, Puppet Enterprise, is a commercially supported version of its open-source product.

 

Puppet’s automation software uses Puppet’s declarative language to manage various stages of the IT infrastructure lifecycle, including the provisioning, patching, configuration, and management of operating system and application components across enterprise data centers and cloud infrastructures.

 

Puppet uses an open-core model; its free-software version was released under version 2 of the GNU General Public License (GPL) until version 2.7.0,[6] and later releases use the Apache License, while Puppet Enterprise uses a proprietary license.

 

Built as cross-platform software, Puppet and Puppet Enterprise operate on multiple Unix-like systems (including Linux as well as Solaris, BSD, Mac OS X, AIX, HP-UX) and has Microsoft Windows support.

 

Puppet itself is written in Ruby, while Facter is written in C++, while Puppet Server and Puppet DB are written in Clojure.

 

Puppet is designed to manage the configuration of Unix-like and Microsoft Windows systems declaratively.

 

The user describes system resources and their state, either using Puppet’s declarative language or a Ruby DSL (domain-specific language).

 

This information is stored in files called “Puppet manifests”. Puppet discovers the system information via a utility called Facter, and compiles the Puppet manifests into a system-specific catalog containing resources and resource dependency, which are applied against the target systems. Any actions taken by Puppet are then reported.

 

Puppet usually follows client-server architecture. The client is known as an agent and the server is known as the master. For testing and simple configuration, it can also be used as a stand-alone application run from the command line.

 

Puppet Server is installed on one or more servers, and Puppet Agent is installed on all the machines that the user wants to manage.

 

Puppet Agents communicate with the server and fetch configuration instructions. The Agent then applies the configuration on the system and sends a status report to the server.

 

Devices can run Puppet Agent as a daemon, that can be triggered periodically as a cron job or can be run manually whenever needed.

 

 

 

Below are the instructions for installing Puppet master and agent nodes on Ubuntu 20.04 Linux systems.

 

 

Create the hostname definitions for Puppet on server and clients

 

Puppet master and client nodes uses hostnames to communicate with each other. Therefore it is a good idea to assign a unique puppet related hostname for each node in your Puppet system.

 

 

1. Login to the master and each client node one by one and add the following to the /etc/hosts file:

 

 

sudo nano /etc/hosts

# Puppet hostnames:

 

10.147.18.185 puppetmaster puppet
10.147.18.14 puppetclient_asusvpn
10.147.18.84 puppetclient_intelpn
10.147.18.65 puppetclient_lenvpn

 

These IPs are our VPN network addresses.

 

A simple way to distribute this file to save multiple editing is to edit on the one machine, eg geminivpn, and from there to use the following command:

 

for HOST in lenvpn asusvpn intelvpn; do
scp /etc/hosts $HOST:/etc/
done

 

root@gemini:/etc# for HOST in lenvpn asusvpn intelvpn; do scp /etc/hosts $HOST:/etc/; done
hosts 100% 2764 86.9KB/s 00:00
hosts 100% 2764 78.2KB/s 00:00
hosts 100% 2764 91.2KB/s 00:00
root@gemini:/etc#

 

 

Repository Installation for Puppet

 

To add the repo for your distribution, install the release package with the
codename for your distribution. For example, for ubuntu release xenial:

 

 

on the Puppetserver:

 

wget http://apt.puppetlabs.com/puppet-release-xenial.deb;
dpkg -i puppet-release-xenial.deb;
apt-get update -y;
apt-get install puppetserver -y;

 

 

 

Once the installation is completed, update the repository and install the Puppet server by running the following command:

 

apt-get update -y
apt-get install puppetserver -y

 

root@gemini:~# wget http://apt.puppetlabs.com/puppet-release-xenial.deb
–2021-07-20 15:01:15– http://apt.puppetlabs.com/puppet-release-xenial.deb
Resolving apt.puppetlabs.com (apt.puppetlabs.com)… 52.222.139.78, 52.222.139.62, 52.222.139.2, …
Connecting to apt.puppetlabs.com (apt.puppetlabs.com)|52.222.139.78|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 11674 (11K) [application/x-debian-package]
Saving to: ‘puppet-release-xenial.deb’

 

puppet-release-xenial.de 100%[===============================>] 11.40K –.-KB/s in 0.004s

2021-07-20 15:01:15 (2.63 MB/s) – ‘puppet-release-xenial.deb’ saved [11674/11674]

root@gemini:~#

 

root@gemini:~# dpkg -i puppet-release-xenial.deb
Selecting previously unselected package puppet-release.
(Reading database … 173472 files and directories currently installed.)
Preparing to unpack puppet-release-xenial.deb …
Unpacking puppet-release (1.0.0-14xenial) …
Setting up puppet-release (1.0.0-14xenial) …
root@gemini:~#

 

root@gemini:~# apt-get update -y
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://download.zerotier.com/debian/buster buster InRelease
Get:5 https://mega.nz/linux/MEGAsync/xUbuntu_20.04 ./ InRelease [2441 B]
Hit:6 http://apt.puppetlabs.com xenial InRelease
Hit:7 http://security.ubuntu.com/ubuntu focal-security InRelease
Fetched 2441 B in 2s (1122 B/s)
Reading package lists… Done
root@gemini:~# apt-get install puppetserver -y
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following additional packages will be installed:
ca-certificates-java java-common openjdk-8-jre-headless puppet-agent
Suggested packages:
default-jre libnss-mdns fonts-dejavu-extra fonts-ipafont-gothic fonts-ipafont-mincho
fonts-wqy-microhei fonts-wqy-zenhei fonts-indic
The following NEW packages will be installed:
ca-certificates-java java-common openjdk-8-jre-headless puppet-agent puppetserver
0 upgraded, 5 newly installed, 0 to remove and 7 not upgraded.
Need to get 114 MB of archives.
After this operation, 313 MB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 java-common all 0.72 [6816 B]
Get:2 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 openjdk-8-jre-headless amd64 8u292-b10-0ubuntu1~20.04 [28.2 MB]
Get:3 http://apt.puppetlabs.com xenial/puppet amd64 puppet-agent amd64 7.8.0-1xenial [21.1 MB]
Get:4 http://archive.ubuntu.com/ubuntu focal/main amd64 ca-certificates-java all 20190405ubuntu1 [12.2 kB]
Get:5 http://apt.puppetlabs.com xenial/puppet amd64 puppetserver all 7.2.0-1xenial [65.1 MB]
Fetched 114 MB in 6s (20.6 MB/s)
Selecting previously unselected package java-common.
(Reading database … 173477 files and directories currently installed.)
Preparing to unpack …/java-common_0.72_all.deb …
Unpacking java-common (0.72) …
Selecting previously unselected package openjdk-8-jre-headless:amd64.
Preparing to unpack …/openjdk-8-jre-headless_8u292-b10-0ubuntu1~20.04_amd64.deb …
Unpacking openjdk-8-jre-headless:amd64 (8u292-b10-0ubuntu1~20.04) …
Selecting previously unselected package ca-certificates-java.
Preparing to unpack …/ca-certificates-java_20190405ubuntu1_all.deb …
Unpacking ca-certificates-java (20190405ubuntu1) …
Selecting previously unselected package puppet-agent.
Preparing to unpack …/puppet-agent_7.8.0-1xenial_amd64.deb …
Unpacking puppet-agent (7.8.0-1xenial) …
Selecting previously unselected package puppetserver.
Preparing to unpack …/puppetserver_7.2.0-1xenial_all.deb …
Unpacking puppetserver (7.2.0-1xenial) …
Setting up java-common (0.72) …
Setting up puppet-agent (7.8.0-1xenial) …
Created symlink /etc/systemd/system/multi-user.target.wants/pxp-agent.service → /lib/systemd/system/pxp-agent.service.
Created symlink /etc/systemd/system/multi-user.target.wants/puppet.service → /lib/systemd/system/puppet.service.
Removed /etc/systemd/system/multi-user.target.wants/pxp-agent.service.
Setting up ca-certificates-java (20190405ubuntu1) …
head: cannot open ‘/etc/ssl/certs/java/cacerts’ for reading: No such file or directory
Adding debian:T-TeleSec_GlobalRoot_Class_2.pem
Adding debian:DigiCert_Global_Root_G.pem

…… … … … ..

(long list)

.. … … … 

Adding debian:AffirmTrust_Premium.pem
Adding debian:EC-ACC.pem
Adding debian:USERTrust_ECC_Certification_Authority.pem
Adding debian:Trustis_FPS_Root_CA.pem
Adding debian:TrustCor_RootCert_CA-1.pem
done.
Processing triggers for libc-bin (2.31-0ubuntu9.2) …
Processing triggers for systemd (245.4-4ubuntu3.7) …
Processing triggers for man-db (2.9.1-1) …
Processing triggers for ca-certificates (20210119~20.04.1) …
Updating certificates in /etc/ssl/certs…
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…

done.
done.

Setting up openjdk-8-jre-headless:amd64 (8u292-b10-0ubuntu1~20.04) …
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/rmid to provide /usr/bin/rmid (rmid) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java to provide /usr/bin/java (java) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/keytool to provide /usr/bin/keytool (keytool) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/jjs to provide /usr/bin/jjs (jjs) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/pack200 to provide /usr/bin/pack200 (pack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/rmiregistry to provide /usr/bin/rmiregistry (rmiregistry) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/unpack200 to provide /usr/bin/unpack200 (unpack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/orbd to provide /usr/bin/orbd (orbd) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/servertool to provide /usr/bin/servertool (servertool) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/tnameserv to provide /usr/bin/tnameserv (tnameserv) in auto mode
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jexec to provide /usr/bin/jexec (jexec) in auto mode
Setting up puppetserver (7.2.0-1xenial) …
usermod: no changes
Processing triggers for systemd (245.4-4ubuntu3.7) …
root@gemini:~#

 

Adjust the RAM memory directive for Puppet

 

The default puppet server file configured to use 2GB of memory.

 

If your server doesn’t have enough memory, then reduce the memory size to 1GB or another value:

 

nano /etc/default/puppetserver

 

JAVA_ARGS=”-Xms1g -Xmx1g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger”

 

 

Then start the Puppet service and set it to auto-start on system boot:

 

sudo systemctl start puppetserver
sudo systemctl enable puppetserver

 

root@gemini:~# systemctl start puppetserver

 

● puppetserver.service – puppetserver Service
Loaded: loaded (/lib/systemd/system/puppetserver.service; disabled; vendor preset: enabled)
Active: activating (start) since Tue 2021-07-20 15:21:07 BST; 26s ago
Cntrl PID: 2841401 (bash)
Tasks: 12 (limit: 4915)
Memory: 260.3M
CGroup: /system.slice/puppetserver.service
├─2841401 bash /opt/puppetlabs/server/apps/puppetserver/cli/apps/start
├─2841425 /usr/bin/java -Xms1g -Xmx1g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.S>
└─2841521 sleep 1

 

Jul 20 15:21:07 gemini systemd[1]: Starting puppetserver Service…
~
~

 

 

root@gemini:~# systemctl enable puppetserver
Synchronizing state of puppetserver.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable puppetserver
Created symlink /etc/systemd/system/multi-user.target.wants/puppetserver.service → /lib/systemd/system/puppetserver.service.
root@gemini:~#

 

 

How To Install the Puppet Clients

 

On each Puppet client machine:

 

wget http://apt.puppetlabs.com/puppet-release-xenial.deb;
dpkg -i puppet-release-xenial.deb;
apt-get update -y;
apt-get install puppet-agent -y;

 

root@len:~# wget http://apt.puppetlabs.com/puppet-release-xenial.deb;
–2021-07-20 16:31:12– http://apt.puppetlabs.com/puppet-release-xenial.deb
Resolving apt.puppetlabs.com (apt.puppetlabs.com)… 143.204.98.17, 143.204.98.74, 143.204.98.15, …
Connecting to apt.puppetlabs.com (apt.puppetlabs.com)|143.204.98.17|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 11674 (11K) [application/x-debian-package]
Saving to: ‘puppet-release-xenial.deb’

 

puppet-release-xenia 100%[=====================>] 11.40K –.-KB/s in 0s

2021-07-20 16:31:15 (48.8 MB/s) – ‘puppet-release-xenial.deb’ saved [11674/11674]

 

root@len:~# dpkg -i puppet-release-xenial.deb;
Selecting previously unselected package puppet-release.
(Reading database … 275787 files and directories currently installed.)
Preparing to unpack puppet-release-xenial.deb …
Unpacking puppet-release (1.0.0-14xenial) …
Setting up puppet-release (1.0.0-14xenial) …
root@len:~# apt-get update -y;
Hit:1 http://ppa.launchpad.net/atareao/telegram/ubuntu bionic InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:3 https://brave-browser-apt-release.s3.brave.com bionic InRelease
Hit:4 http://archive.ubuntu.com/ubuntu bionic InRelease
Get:5 https://repo.skype.com/deb stable InRelease [4,501 B]
Hit:6 https://brave-browser-apt-release.s3.brave.com stable InRelease
Hit:7 http://download.zerotier.com/debian/buster buster InRelease
Hit:8 http://repository.spotify.com stable InRelease
Get:9 http://archive.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Hit:10 http://ppa.launchpad.net/audio-recorder/ppa/ubuntu bionic InRelease
Get:11 https://mega.nz/linux/MEGAsync/xUbuntu_20.04 ./ InRelease [2,441 B]
Hit:12 http://ppa.launchpad.net/clipgrab-team/ppa/ubuntu bionic InRelease
Get:13 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Hit:14 http://old-releases.ubuntu.com/ubuntu cosmic InRelease
Hit:15 http://ppa.launchpad.net/gencfsm/ppa/ubuntu bionic InRelease
Ign:16 http://archive.ubuntu.com/ubuntu eoan InRelease
Get:17 http://apt.puppetlabs.com xenial InRelease [144 kB]
Ign:18 http://archive.ubuntu.com/ubuntu eoan-security InRelease
Hit:19 http://ppa.launchpad.net/nathan-renniewaldock/flux/ubuntu bionic InRelease
Ign:20 http://archive.ubuntu.com/ubuntu eoan-updates InRelease
Hit:21 http://old-releases.ubuntu.com/ubuntu cosmic-security InRelease
Ign:22 http://archive.ubuntu.com/ubuntu eoan-backports InRelease
Hit:23 http://ppa.launchpad.net/sebastian-stenzel/cryptomator/ubuntu bionic InRelease
Hit:24 http://archive.ubuntu.com/ubuntu focal InRelease
Get:25 http://archive.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Hit:26 http://old-releases.ubuntu.com/ubuntu cosmic-updates InRelease
Hit:27 http://ppa.launchpad.net/wseverin/ppa/ubuntu bionic InRelease
Hit:28 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Get:29 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Hit:30 http://old-releases.ubuntu.com/ubuntu disco InRelease
Err:31 http://archive.ubuntu.com/ubuntu eoan Release
404 Not Found [IP: 91.189.88.152 80]
Err:32 http://archive.ubuntu.com/ubuntu eoan-security Release
404 Not Found [IP: 91.189.88.152 80]
Err:33 http://archive.ubuntu.com/ubuntu eoan-updates Release
404 Not Found [IP: 91.189.88.152 80]
Err:34 http://archive.ubuntu.com/ubuntu eoan-backports Release
404 Not Found [IP: 91.189.88.152 80]
Hit:35 http://old-releases.ubuntu.com/ubuntu disco-security InRelease
Err:5 https://repo.skype.com/deb stable InRelease
The following signatures were invalid: EXPKEYSIG 1F3045A5DF7587C3 Skype Linux Client Repository <se-um@microsoft.com>
Hit:36 http://old-releases.ubuntu.com/ubuntu disco-updates InRelease
Get:37 http://apt.puppetlabs.com xenial/puppet amd64 Packages [12.5 kB]
Get:38 http://apt.puppetlabs.com xenial/puppet all Packages [5,310 B]
Get:39 http://apt.puppetlabs.com xenial/puppet i386 Packages [11.4 kB]
Reading package lists… Done
E: The repository ‘http://archive.ubuntu.com/ubuntu eoan Release’ no longer has a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘http://archive.ubuntu.com/ubuntu eoan-security Release’ no longer has a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘http://archive.ubuntu.com/ubuntu eoan-updates Release’ no longer has a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘http://archive.ubuntu.com/ubuntu eoan-backports Release’ no longer has a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repo.skype.com/deb stable InRelease: The following signatures were invalid: EXPKEYSIG 1F3045A5DF7587C3 Skype Linux Client Repository <se-um@microsoft.com>
root@len:~# apt-get install puppet-agent -y;
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed
puppet-agent
0 to upgrade, 1 to newly install, 0 to remove and 71 not to upgrade.
Need to get 21.1 MB of archives.
After this operation, 133 MB of additional disk space will be used.
Get:1 http://apt.puppetlabs.com xenial/puppet amd64 puppet-agent amd64 7.8.0-1xenial [21.1 MB]
Fetched 21.1 MB in 8s (2,632 kB/s)
debconf: Unable to initialise frontend: Dialog
debconf: (Dialogue frontend requires a screen at least 13 lines tall and 31 columns wide.)
debconf: falling back to frontend: Readline
Selecting previously unselected package puppet-agent.
(Reading database … 275792 files and directories currently installed.)
Preparing to unpack …/puppet-agent_7.8.0-1xenial_amd64.deb …
Unpacking puppet-agent (7.8.0-1xenial) …
Setting up puppet-agent (7.8.0-1xenial) …

Created symlink /etc/systemd/system/multi-user.target.wants/pxp-agent.service → /lib/systemd/system/pxp-agent.service.
Created symlink /etc/systemd/system/multi-user.target.wants/puppet.service → /lib/systemd/system/puppet.service.
Removed /etc/systemd/system/multi-user.target.wants/pxp-agent.service.
Processing triggers for libc-bin (2.31-0ubuntu9.2) …

root@len:~# systemctl start puppet; systemctl enable puppet; systemctl status puppet
● puppet.service – Puppet agent
Loaded: loaded (/lib/systemd/system/puppet.service; enabled; vendor preset: e>
Active: active (running) since Tue 2021-07-20 16:38:06 CEST; 459ms ago
Main PID: 324315 (puppet)
Tasks: 1 (limit: 9329)
Memory: 21.7M
CGroup: /system.slice/puppet.service
└─324315 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/p>

 

Jul 20 16:38:06 len systemd[1]: Started Puppet agent.
root@len:~#

 

 

 

Once it is installed, edit the /etc/puppetlabs/puppet/puppet.conf file on each puppet client machine:

 

nano /etc/puppetlabs/puppet/puppet.conf

 

enter the following:

 

[main]
certname = puppetclient_asusvpn ( _lenvpn _intelvpn according to the machine)
server = puppetmaster

 

[main]
certname = puppetclient_asusvpn
server = puppetmaster

 

 

Finally start & enable:

 

systemctl start puppet; systemctl enable puppet; systemctl status puppet

 

Sign the Puppet Agent Certificates

 

login to the Puppet server and run the following command to list all the available certificates:

 

/opt/puppetlabs/bin/puppetserver ca list –all

 

 

sign all certs with:

 

/opt/puppetlabs/bin/puppetserver ca sign –all

 

 

Firewalling for Puppet

 

Puppet uses port 8140, so you need to open port 8140 on your firewall.

 

For Ubuntu:

 

ufw allow 8140

 

root@gemini:~#
root@gemini:~# ufw allow 8140
Rule added
Rule added (v6)
root@gemini:~#

 

 

Verify:

 

/opt/puppetlabs/bin/puppet agent –test

 

 

We had the following problem with the test:

 

root@len:~# /opt/puppetlabs/bin/puppet agent –test
Error: Server hostname ‘puppetmaster’ did not match server certificate; expected one of gemini, DNS:puppet, DNS:gemini
Error: Could not run: Server hostname ‘puppetmaster’ did not match server certificate; expected one of gemini, DNS:puppet, DNS:gemini
root@len:~#

 

 

This is due to the hostname definition for the puppet server on the clients.

 

So on the clients I modified the file:

 

root@len:~# nano /etc/puppetlabs/puppet/puppet.conf

 

 

and changed

 

[main]
certname = puppetclient_lenvpn
server = puppetmaster

 

to

 

[main]
certname = puppetclient_lenvpn
server = gemini

 

 

I was then able to do:

 

root@len:~# /opt/puppetlabs/bin/puppet agent –test
Info: Creating a new RSA SSL key for puppetclient_lenvpn
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetclient_lenvpn
Info: Certificate Request fingerprint (SHA256): 6B:0E:A6:DF:32:ED:80:9D:82:4A:87:26:35:26:F8:6B:7E:37:15:56:F2:B7:B9:32:E6:D6:A8:29:FB:AC:92:D6
Info: Certificate for puppetclient_lenvpn has not been signed yet
Couldn’t fetch certificate from CA server; you might still need to sign this agent’s certificate (puppetclient_lenvpn).
Exiting now because the waitforcert setting is set to 0.
root@len:~#

 

 

Now on the puppet server we can run:

 

root@gemini:~# /opt/puppetlabs/bin/puppetserver ca list
Requested Certificates:
puppetclient_lenvpn (SHA256) 6B:0E:A6:DF:32:ED:80:9D:82:4A:87:26:35:26:F8:6B:7E:37:15:56:F2:B7:B9:32:E6:D6:A8:29:FB:AC:92:D6
root@gemini:~#

 

 

so, we need to do this for each client as above example for lenvpn:

 

this is then the result:

 

root@gemini:~# /opt/puppetlabs/bin/puppetserver ca list
Requested Certificates:
puppetclient_lenvpn (SHA256) 6B:0E:A6:DF:32:ED:80:9D:82:4A:87:26:35:26:F8:6B:7E:37:15:56:F2:B7:B9:32:E6:D6:A8:29:FB:AC:92:D6
puppetclient_intelvpn (SHA256) AB:53:E7:2A:79:69:0A:6F:92:B5:F2:66:E4:0A:EB:67:28:33:10:BC:30:C5:EB:2A:D3:87:7C:C1:F9:EC:C1:C5
puppetclient_asusvpn (SHA256) C4:14:06:C9:61:E8:B6:E6:A0:7F:FD:D1:4A:F3:AC:9E:AD:8B:7F:9B:2B:93:BA:53:CC:58:FC:A6:70:EB:6F:42
root@gemini:~#

 

 

THEN, on the puppet server, sign the certificates for the clients:

 

you can do this by specifying -all, which will sign the certificates for all the clients using just the one command:

 

root@gemini:~# /opt/puppetlabs/bin/puppetserver ca sign –all
Successfully signed certificate request for puppetclient_lenvpn
Successfully signed certificate request for puppetclient_intelvpn
Successfully signed certificate request for puppetclient_asusvpn
root@gemini:~#

 

 

NOTE: the command still mentioned in much of the online Puppet documentation:

 

puppet cert

 

has since been deprecated and should no longer be used. Instead use the new syntax:

 

puppetserver ca

 

as above.

 

It is also convenient to add a symink from /usr/local/sbin/puppetserver so that the whole path to the puppetserver binary does not have to be entered:

 

ln -s /opt/puppetlabs/bin/puppetserver /usr/local/sbin/puppetserver

 

 

check the agents are working:

 

root@len:~# systemctl status puppet
● puppet.service – Puppet agent
Loaded: loaded (/lib/systemd/system/puppet.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-07-20 16:38:06 CEST; 5h 48min ago
Main PID: 324315 (puppet)
Tasks: 1 (limit: 9329)
Memory: 76.1M
CGroup: /system.slice/puppet.service
└─324315 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent –no-daemon>

 

Jul 20 22:06:43 len puppet-agent[324315]: Server hostname ‘puppetmaster’ did not match server certificate>
Jul 20 22:08:43 len puppet-agent[324315]: Server hostname ‘puppetmaster’ did not match server certificate>
root@len:~#

 

 

The Puppet master server (gemini) should now be able to communicate and control the agent nodes.

 

On a Puppet agent node, test the Puppet master and agent communication with the following command:

 

/opt/puppetlabs/bin/puppet agent –test

 

 

If everything is working, you will see the following output:

 

root@len:~# /opt/puppetlabs/bin/puppet agent –test
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetclient_lenvpn
Info: Certificate Request fingerprint (SHA256): 6B:0E:A6:DF:32:ED:80:9D:82:4A:87:26:35:26:F8:6B:7E:37:15:56:F2:B7:B9:32:E6:D6:A8:29:FB:AC:92:D6
Info: Downloaded certificate for puppetclient_lenvpn from https://gemini:8140/puppet-ca/v1
Info: Using configured environment ‘production’
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetclient_lenvpn
Info: Applying configuration version ‘1626812868’
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.01 seconds
root@len:~#

 

 

 

Ensure Time is Set Uniformly on Puppet Clients and Server

 

 

Make sure Puppet clients and server have the same time and using the same time zone:

 

root@gemini:/# date
Wed Jul 21 17:27:56 BST 2021
root@gemini:/#
root@gemini:~# timedatectl set-timezone Europe/Berlin
root@gemini:~# date
Wed Jul 21 18:28:49 CEST 2021
root@gemini:~#

 

 

 

For notes on how to use Puppet, see my article http://3.222.27.169/it-knowledge-base/how-to-use-puppet/

 

 

 

 

Tags:
Table of Contents