Hi Nick and James,
You want me to do that on Master? I just did. I can't do that on the client.
Master:
$ puppet master --configprint certname
master (I am using alias name from now on... you see it is not
puppetmaster)
$ puppet cert clean master
notice: Revoked certificate with serial 2
notice: Removing file Puppet::SSL::Certificate master at
'/var/lib/puppet/ssl/ca/signed/master.pem'
notice: Removing file Puppet::SSL::Certificate master at
'/var/lib/puppet/ssl/certs/master.pem'
notice: Removing file Puppet::SSL::Key master at
'/var/lib/puppet/ssl/private_keysmaster.pem'
$ puppet cert generate --dns_alt_names puppetmaster master
notice: master has a waiting certificate request
notice: Signed certificate request for master
notice: Removing file Puppet::SSL::CertificateRequest master at
'/var/lib/puppet/ssl/ca/requests/master.pem'
notice: Removing file Puppet::SSL::CertificateRequest master at
'/var/lib/puppet/ssl/certificate_requests/master.pem'
Now I see the following in master.pem
X509v3 Subject Alternative Name:
DNS:master, DNS:puppetmaster
But ran the test again, and still complain not matched./
Thanks.
On Wednesday, June 13, 2012 5:23:32 PM UTC-4, Nick Fagerlund wrote:
>
>
>
> On Wednesday, June 13, 2012 1:26:17 PM UTC-7, repoman wrote:
>
>> err: Could not retrieve catalog from remote server: hostname was not
>> match with the server certificate
>>
>
> Hey, repoman,
>
> This is a dns_alt_names problem. (Setting info:
> http://docs.puppetlabs.com/references/latest/configuration.html#dnsaltnames
> )
>
> Short version is that the hostname you contact the puppet master at MUST
> be included in its SSL certificate. By default, only the master's certname
> and the special default hostname "puppet" are included. If "puppetmaster"
> isn't the certname of your master (check by running puppet master
> --configprint certname), you'll need to either re-generate its cert or
> configure agents to use one of the names in its certificate.
>
> To view the cert and confirm that "puppetmaster" isn't in it:
>
> puppet cert print (whatever the master's certname is)
>
> To regenerate the master's cert:
>
> puppet cert clean (whatever the master's certname is)
> puppet cert generate --dns_alt_names puppetmaster (whatever the master's
> certname is)
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/LHyvbXqLHPMJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
