Re: [Puppet Users] Failed SSL with CNAME'd puppetserver

Tue, 18 Jan 2011 10:57:48 -0800 

On Tue, Jan 18, 2011 at 10:41 AM, Robert Scheer <r...@xs4all.net> wrote:
> Hi, suppose puppet-old.domain is a CNAME pointing to puppet-new.domain,
> and puppet-new.domain is running Apache (for SSL) with mod_proxy_balancer
> to balance over some 10 puppetmaster processes. The configured
> SSLCertificateFile in Apache is that of puppet-new.domain
>
> How do I get a node to stop complaining when connecting to
> puppet-old.domain (ending up at puppet-new.domain through the CNAME)?
>
> node# puppetd --test --server=puppet-old.domain
> err: Could not retrieve catalog from remote server: hostname was not match
> with the server certificate
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run

I recommend issuing a new certificate for the Apache SSL server which
contains both puppet-old.domain and puppet-new.domain in the x.509
alternate names field.

> I tried fiddling with certdnsnames on both the server side and the client
> side, but without effect.

Certdnsnames is one way to do this.  In Puppet 2.6 you can use the
puppet cert command to easily create these certificates.

On the Puppet CA:  (My configuration directory is for testing, you'll
need to adjust this setting)

puppet cert --confdir ~/.puppet/conf_test --certdnsnames
puppet-old.domain:puppet-new.domain:puppet-old:puppet-new --generate
puppet-new.domain

puppet cert --confdir ~/.puppet/conf_test --print puppet-new.domain

Subject: CN=puppet-new.domain
...
X509v3 Subject Alternative Name:
                DNS:puppet-old.domain, DNS:puppet-new.domain,
DNS:puppet-old, DNS:puppet-new, DNS:puppet-new.domain
...


Please keep in mind this only issues a new SSL Server certificate, it
uses the existing certificate authority so your Puppet agent systems
will automatically trust this new certificate.

Hope this helps,
-- 
Jeff McCune
http://www.puppetlabs.com/

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to