Hi All
Apologies if this is obvious, but I'm a bit flaky around SSL certificates.
NB puppet version 0.25.5
We use the brilliant feature of certificates where you can have Alternate
DNS names for a certificate which is manifested in the puppet master config
file as certdnsnames. All our clients connect to puppet-$
location.example.com, and if $location is down, we can point the CNAME to
another puppet server which has the original puppet-$location in the puppet
servers certificate. All puppet servers get the same certificate
When we bring on a new DC, we just update the puppet hostcert certificates
and send out via puppet. Worked nicely in test, but the first time I do it
in real life, it doesn't quite work that way.
Lets see how this works
1. Set all host certs to be the same file in puppet master config
hostcert = /local/puppet/etc/ssl/certs/puppet.example.com.pem
2. Generate a new cert
/opt/local/sbin/puppetca --config /local/puppet/etc/puppetca.conf --generate
--certdnsnames puppet.bfm.com:puppet-ca.bfm.com:puppet-ca2.bfm.com:
puppet-lab.bfm.com:puppet-svn.bfm.com:puppet-del.bfm.com:puppet-ndh.bfm.com:
puppet-prn.bfm.com:puppet-nyc.bfm.com:puppet-smw.bfm.com:puppet-tkm.bfm.com:
puppet-ewd.bfm.com:puppet-lva.bfm.com:puppet-rmc.bfm.com:puppet-rdc.bfm.com:
puppet-sfo.bfm.com puppet.bfm.com
3. Confirm we have all our DNS names in the alternate DNS names:
openssl x509 -text -noout -in
/local/puppet/etc/ssl/certs/puppet.example.com.pem | grep DNS
DNS:puppet.example.com, DNS:puppet-ca.example.com, DNS:
puppet-ca2.example.com, DNS:puppet-lab.example.com, DNS:
puppet-svn.example.com, DNS:puppet-del.example.com, DNS:
puppet-ndh.example.com, DNS:puppet-prn.example.com, DNS:
puppet-nyc.example.com, DNS:puppet-smw.example.com, DNS:
puppet-tkm.example.com, DNS:puppet-ewd.example.com, DNS:
puppet-lva.example.com, DNS:puppet-rmc.example.com, DNS:
puppet-rdc.example.com, DNS:puppet-sfo.example.com, DNS:puppet.example.com
4. Make sure puppet daemon (running via passenger) also has the correct
alternate names:
echo "" | openssl s_client -connect engncfm001:8140 | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -text | grep DNS:
DNS:puppet.example.com, DNS:puppet-ca.example.com, DNS:
puppet-ca2.example.com, DNS:puppet-lab.example.com, DNS:
puppet-svn.example.com, DNS:puppet-del.example.com, DNS:
puppet-ndh.example.com, DNS:puppet-prn.example.com, DNS:
puppet-nyc.example.com, DNS:puppet-smw.example.com, DNS:
puppet-tkm.example.com, DNS:puppet-ewd.example.com, DNS:
puppet-lva.example.com, DNS:puppet-rmc.example.com, DNS:
puppet-rdc.example.com, DNS:puppet-sfo.example.com, DNS:puppet.example.com
5. Hurrah. Now the interesting thing is that a new data centre we are
bringing online had its location mae changed from ewe to ewd. No matter - as
you can see above I have updated the cert.
6. However, when we build a new server, and we check the cert on the puppet
server from the client for DNS alternative names
openssl x509 -text -noout -in
/local/puppet/etc/ssl/ca/signed/engnjmp002.example.com.pem | grep DNS
DNS:puppet.example.com, DNS:puppet-ca.example.com, DNS:
puppet-ca2.example.com, DNS:puppet-lab.example.com, DNS:
puppet-del.example.com, DNS:puppet-ndh.example.com, DNS:
puppet-prn.example.com, DNS:puppet-nyc.example.com, DNS:
puppet-smw.example.com, DNS:puppet-tkm.example.com, DNS:
puppet-wew.example.com, DNS:puppet-lva.example.com, DNS:
puppet-rmc.example.com, DNS:puppet-rdc.example.com, DNS:
puppet-sfo.example.com, DNS:engnjmp002.example.com
That's not right - puppet-wew not puppet-ewd, and puppet-svn is missing. How
can this be as I checked openssl talking to puppet?
It seems that the client's certificate is being signed with a CNAME list
from the "certdnsnames" entry in the puppetmaster config file. I can mess
around with that and confirm it is that entry which modifies the clients
Alternate Names entry.
I **assumed** the client certificate would be signed against the server's
certificate file.
So, now, I update certdnsnames with exactly what is in the hostcert and
things are OK, and I just need to update my documentation to include that
step, but I found it odd. Should I find that odd, or am I missing something?
Thanks
John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
