Re: [Puppet Users] Re: Setup 2.6 + apache, passenger

Tue, 14 Sep 2010 11:03:07 -0700 

On Tue, Sep 14, 2010 at 9:35 AM, M C <maem...@gmail.com> wrote:

> I'm trying to use puppet with passenger as well.  I'm running puppet 2.6.1
> and I'm running into the issue mentioned under the troubleshooting section
> of http://projects.reductivelabs.com/projects/puppet/wiki/Using_Passenger.
> The instructions there are very vague.  I've tried adding the ca_name
> setting to puppet.conf on the puppet master, but it doesn't seem to have any
> effect.  I took a look at
> http://docs.puppetlabs.com/references/stable/configuration.html and there
> does not appear to be a ca_name option.  On the other hand, there is a
> certname option.  When I set this option to something like "ca-foo.bar.com"
> and restart the puppet master, I do see a new certificate generated,
> however, I get errors on the client side stating that the cert is incorrect
> "Could not retrieve catalog from remote server: hostname was not match with
> the server certificate".  Any suggestions?
>

What's the output of puppetd --genconfig | grep "server =" ? By default
puppet agent connects to the puppet master named "puppet".

Try setting certdnsname=puppet:puppet.bar.com (include the output of server
=... if it's not puppet). I'm guessing the client is is resolving puppet
master through a DNS cname, puppet.bar.com => ca-foo.bar.com. The
certificate X509v3 Subject Alternative Name should include all possible DNS
cname for the puppet master.

You can examine the puppet master certificate using the command:
openssl x509 -text -in /var/lib/puppet/ssl/certs/${puppetmaster_fqdn}.pem

certname configures the certificate CN= and in your case should display:
Subject: CN=ca-foo.bar.com

certdnsname configures the following section:
X509v3 Subject Alternative Name:
                DNS:puppet, DNS:puppet.bar.com

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to