puppet hostname problem

Question

I searched online and I see a few other people have had this issue on other lists/boards. When I run sudo puppetd --waitforcert 60 --test for the 2nd time after signing the cert on the master server I get this error-

notice: Got signed certificate
warning: Certificate validation failed; considering using the certname configuration option
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources during transaction: Certificates were not trusted: hostname was not match with the server certificate

I'm not sure I understand what the problem or how to fix it. So that is why I ask.

I'm setting puppet up on two servers on my LAN. The puppetmaster is named 'puppet' and the other server is named 'puppetclient'. I put puppet into /etc/hosts on puppetclient.

running hostname -f will display puppet and pupperclient on the respective servers. I'm not sure what else to try. Does anyone have any insight?

Answer 1

Sounds like the puppetmaster certificate was created when the host was named something other than "puppet". Recreate the certificate and you should be good.

The name stored in the certificate has to match what you configured your client to connect to (exactly). For instance, if you configure your client to connect to "puppet.domain.com", you'll get an error if the certificate is named "puppet" and vice versa.

Answer 2

If you want to use DNS CNAME for your puppetmaster, you can start the puppetmaster using:

puppetmaster --certname cname.domain.org

which will make puppetmaster use cname.domain.org instead of the default fully qualified domain name.

Answer 3

The --certname cname.domain.org flag option seemed to have done the trick for me (on Amazon EC2)

Answer 4

you can ask facter (facter fqdn) what the hostname is and see if that is consistent with what you expect. Also take a look at (by default) /var/lib/puppet/ssl/ and see what the certs look like, if they don't have the correct hostnames that may be your problem. Since puppet does all of it's communication over HTTPS it's fairly sensitive to resolution and host naming.

Answer 5

Before installing Puppet on your designated clients and server, check the /etc/resolv.conf file and verify that the first domain entry on the "search" line is the domain that you want Puppet to run under. For example:

search my.puppetdomain.com my.public.domain.com

nameserver 192.168.1.1 nameserver xxx.xxx.1.1

During the Puppet installation phase, the Puppet server will generate its certificates based on the first search entry in the /etc/resolv.conf. I found this out the hard way. If you see certificate-related errors on any puppet node, perform the following steps:

1) Edit the /etc/resolv.conf and verify that the first domain listed in the "search" line reflects the domain you want Puppet to run in.

2) Uninstall puppet (leave the /etc/puppet directory intact).

3) rm -rf /var/lib/puppet

4) Re-install Puppet (this will generate a new /var/lib/puppet directory).

5) If performing this on the Puppet server, run /usr/sbin/puppetmasterd --mkusers (alternatively, run /usr/local/sbin/puppetmasterd --mkusers). This will generate all the requisite files within /var/lib/puppet, including the new internal certificates using the proper domain name.

6) If performing this on the Puppet client, start Puppet in verbose mode, with the --waitforcert flag enabled: puppetd -server .puppetdomain.com --waitforcert 60 --test This step will send a certificate request to the Puppet server.

7) On the Puppet server, list the waiting certificates:

puppetca --list

You should see the hostname of the Puppet client making the request:

puppetclient1.puppetdomain.com

8) From the Puppet server, sign the certificate of the Puppet client just listed:

puppetca --sign puppetclient1.puppetdomain.com

Then you are done.

HTH....

Answer 6

Do puppet and puppetclient both resolve in DNS? If not you can edit the /etc/hosts file to map the IPs and hostnames. IIRC, you should only need to do this on the client.