On Fri, Jun 1, 2012 at 5:23 AM, Andrew Wasilczuk <a...@zx23.net> wrote:
> Hi Jeff > > On Thu, May 31, 2012 at 08:55:29AM -0700, Jeff McCune wrote: > > There are two identities in Puppet that relate to the security model. > The > > first identity is the certname and the second is the node name. > > Puppet uses the certname to construct the certificate. > > Everything else (catalogs, facts, reports, etc...) is identified by > the > > node name. > > By default the value of node name is the value of the certname. > > For security, requests are only authorized if the name of the node > matches > > the cert name. > > What you're seeing is puppet denying access because your node name no > > longer matches the cert name. > > I recommend you don't make your node names match your cert names > because > > an email address is not a valid node name. To get this to work you'll > > need to hack at auth.conf to map which cert names are authorized to > > request resources for certain nodes. > > Hope this helps. > > You might want to take a look at #2128 and the node_name_value > setting. > > Thanks for your reply Jeff but I don't quite understand because as far > as I can tell my cert name and node name are the same: > The "certname" in Puppet is actually the x.509 common name field in the certificate. You may be running into a bug in Puppet but I'm not entirely sure yet... What web server are you using to terminate the SSL connection from the agent to the master? Is it simply the built in one provided by `puppet master` or are you using Apache or something? It appears that we're not correctly parsing out the emailAddress field inside the subject and instead we're treating it as part of the common name (CN). -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
