Getting error "Warning: Error 400 on SERVER: Failed to find xxx via exec: Execution of '/etc/puppet/node.rb xxx ' returned 1" when running puppet agent command

Solution Verified - Updated

Environment

  • Red Hat Satellite 6.x

Issue

  • Receiving the following error with puppet-agent commands:

    [root@puppetclient]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 400 on SERVER: Failed to find puppetclient.example.com via exec: Execution of '/etc/puppet/node.rb puppetclient.example.com' returned 1:
Info: Retrieving plugin
Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb
Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb
Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb
Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed when searching for node puppetclient.example.com: Failed to find puppetclient.example.com via exec: Execution of '/etc/puppet/node.rb puppetclient.example.com' returned 1:
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Resolution

  • To resolve this error, the common name (CN) in the /var/lib/puppet/ssl/certs/ca.pem file and the ":url" entry in /etc/puppet/foreman.yaml must match.

  • Verify the common name (CN) in the /var/lib/puppet/ssl/certs/ca.pem file.

    [root@puppetclient]# openssl x509 -in /var/lib/puppet/ssl/certs/ca.pem -noout -text
Certificate:
     Data:
            Version:  3  (0x2)
            Serial Number:  17  (0x11)
     Signature Algorithm: sha256WithRSAEncryption
            Issuer:  CN=Puppet  CA:  satellite.example.com
...

  • Change the ":url" entry to match the common name (CN) in ca.pem

    [root@satellite]# vim /etc/puppet/foreman.yaml
:url: "https://satellite.example.com"
:ssl_ca: "/etc/puppet/ssl_ca.pem"
:ssl_cert: "/etc/puppet/client_key.pem"
...

  • Ensure that SSLVerifyClient is set as optional in /etc/httpd/conf.d/05-foreman-ssl.conf file.

    SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"
SSLVerifyClient         optional                                        
SSLVerifyDepth

  • After making the above changes, restart katello services. 

    [root@satellite]# katello-service restart

  • Now from the client, execute puppet agent and it should run successfully.

    [root@puppetclient]# puppet agent -tv

For more KB articles/solutions related to Red Hat Satellite 6.x Puppet Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Puppet Issues

Root Cause

  • The common name (CN) in the /var/lib/puppet/ssl/certs/ca.pem file and the ":url" entry in /etc/puppet/foreman.yaml do not match.

Diagnostic Steps

  • It was observed that the puppet client was showing in the satellite web UI under "All hosts" and had a YAML file, but the system was showing a grayed-out status.

  • The following command was run on the satellite server and an error was received stating that it could not send the facts to foreman due to a hostname mismatch:

    [root@satellite]# /etc/puppet/node.rb puppetclient.example.com
Could not send facts to Foreman: hostname was not match with the server certificate

  • Noticed that the /var/lib/puppet/ssl/certs/ca.pem file was using the FQDN of the Red Hat Satellite server for the common name (CN).

  • However, the url in /etc/puppet/foreman.yaml was not using the FQDN of the Red Hat Satellite server.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.