Install and configure PuppetDB

Useful links:

  1. apprentice@puppet:~$ sudo apt-get install postgresql-9.1

  2. apprentice@:~$ pwgen -cnys 40 1
      apprentice@:~$ sudo -u postgres -s
      postgres@puppet:/$ createuser -DRSP puppetdb
      Enter password for new role: 
      Enter it again: 
      postgres@puppet:/$ createdb -O puppetdb puppetdb
      postgres@puppet:/$ exit

    ... allow the puppetdb user to log in in /etc/postgresql/9.1/main/pg_hba.conf

    # Put your actual configuration here
    local   puppetdb        puppetdb                                md5
    local   all             postgres                                peer

    ... and let the new settings take effect:

    apprentice@:~$  sudo service postgresql restart

  3. apprentice@:~$ sudo apt-get install puppetdb puppetdb-terminus

  4. To the [master] section of /etc/puppet/puppet.conf, add:

    storeconfigs = true
    storeconfigs_backend = puppetdb


    According to Docs: PuppetDB 1 » Connecting Puppet Masters to PuppetDB, you cannot use port 8080, although that would make perfect sense on localhost. But that doesn't matter much, because using localhost instead of the FQDN got me a hostname does not match the server certificate when running the puppet agent.

    Create /etc/puppet/routes.yaml:

    terminus: puppetdb
    cache: yaml

    ... and /etc/puppet/puppetdb.conf:

    server =
    port = 8081

  5. Edit /etc/puppetdb/conf.d/database.ini:

    classname = org.postgresql.Driver
    subprotocol = postgresql
    subname = //localhost:5432/puppetdb
    username = puppetdb
    password = 9PCp0KZ7F7D3nCcYUfjCgheveWRDfVZ9BbbhsAhf
    log-slow-statements = 10

    ... run

    apprentice@puppet:~$ sudo /usr/sbin/puppetdb-ssl-setup

    ... which changes /etc/puppetdb/conf.d/jetty.ini, which we need not even finetune.


    The password in jetty.ini is not the same as the password to the PostgreSQL database.

  6. It PuppetQD wasn't already disabled, disable it now, probably in /etc/default/puppetqd.

  7. apprentice@:~$ for i in puppetdb puppetmaster ; do sudo service $i restart ; done

  8. apprentice@client:~$ sudo puppet agent --no-daemonize --verbose --waitforcert 10
    err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for to PuppetDB at Connection refused - connect(2)


This error occurs because the puppet service, the puppetdb service and their certificates do not agree on the hostnames they are using. This can be resolved by putting in /etc/puppetdb/conf.d/jetty.ini a line:

certificate-whitelist = /etc/puppetdb/whitelist.txt

... and listing all aliases for the machine in that file.

But we don't bother, because we don't want to run Puppet from the WeBrick server, so we need Apache, and if we 've got Apache anyway, we also want to offload the SSL of PuppetDB to Apache. See the next section.