Hi Jeff On Thu, May 31, 2012 at 08:55:29AM -0700, Jeff McCune wrote: > There are two identities in Puppet that relate to the security model. The > first identity is the certname and the second is the node name. > Puppet uses the certname to construct the certificate. > Everything else (catalogs, facts, reports, etc...) is identified by the > node name. > By default the value of node name is the value of the certname. > For security, requests are only authorized if the name of the node matches > the cert name. > What you're seeing is puppet denying access because your node name no > longer matches the cert name. > I recommend you don't make your node names match your cert names because > an email address is not a valid node name. To get this to work you'll > need to hack at auth.conf to map which cert names are authorized to > request resources for certain nodes. > Hope this helps. > You might want to take a look at #2128 and the node_name_value setting.
Thanks for your reply Jeff but I don't quite understand because as far as I can tell my cert name and node name are the same: subject=emailAddress=syst...@example.net,CN=mir.example.net,O=example,ST=Greater London,C=UK % facter fqdn mir.example.net I'm assuming that by cert name you mean the common name (CN)? I'm no SSL expert but I'm aware that having the email address in the subject of the certificate is deprecated (although still the default in OpenSSL for some reason). rfc3850[1] strongly suggest moving the emailAddress to subjectAltName extension. So, I'm going to update my PKI to the rfc3850 recommendation (or drop the emailAddress completely as I don't think it's necessary for host certs anyway). However, I was just wandering if it's worth for puppet to support the legacy way since it's the default in OpenSSL and it's likely that other people will hit this problem. I've got the luxury of being able to re-generate my certs relatively easily but someone else may not be as lucky, if they are trying to re-use their existing certificates with puppet. I guess it all boils down to how much work it would take to support this in puppet and if it's puppet or the Ruby OpenSSL bindings that need the work. Cheers, Andrew. -- [ a...@zx23.net ] -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
