18

my puppet.conf on the master

[master]
certname = myname.mydomain.com
ca_server = myname.mydomain.com
certdnsnames = puppet;puppet.local;myname.dyndns.org;hivemind.local;

for my understanding with the certdnsnames defined the following should work:

puppet agent --server myname.dyndns.org --test

but i get the following error:

err: Could not retrieve catalog from remote server: hostname was not match with the server certificate

how to avoid this error? how to correctly define certdnsnames? i have found diffent documentation about this, but no simple example. i i use "," for seperation i cannot sign at all. i also have seen a syntax like

certdnsnames = puppet:puppet.intra.myserver.fr,puppet.myserver.fr:puppet,puppet:puppet,puppet.intra.myserver.fr,puppet.myserver.fr

http://projects.puppetlabs.com/issues/5776

but for me its not clear when to add a "puppet:" and when not.

c33s
  • 1,515
  • 3
  • 21
  • 39

7 Answers7

27

For the benefit of anyone else who stumbles upon this answer:

Due to CVE-2011-3872, Puppet no longer supports the certdnsnames option. From the documentation:

The certdnsnames setting is no longer functional, after CVE-2011-3872. We ignore the value completely. For your own certificate request you can set dns_alt_names in the configuration and it will apply locally. There is no configuration option to set DNS alt names, or any other subjectAltName value, for another nodes certificate. Alternately you can use the --dns_alt_names command line option to set the labels added while generating your own CSR.

You can generate an SSL certificate for your server using subjectAlternativeName like this:

$ puppet cert generate <puppet master's certname> --dns_alt_names=<comma-separated list of DNS names>
larsks
  • 43,623
  • 14
  • 121
  • 180
  • 3
    Additional note: Before running puppet cert generate, remove the .pem files for the puppet master in /var/lib/puppet/ssl/private_keys, /var/lib/puppet/ssl/ca/signed/ and /var/lib/puppet/ssl/certs. Generating a new certificate is not killing connectivity to existing clients, as they verify the certificate of the puppetmaster using the CA's certificate, which they downloaded at first connect. – Erik Forsberg Jun 27 '12 at 19:27
  • 9
    Hey, thanks Lars from the past. You just answered my question. – larsks Feb 16 '13 at 04:18
  • For people googling this in 2021+ - see more current answers below. This answer uses deprecated/removed APIs – AndrewL Mar 04 '21 at 00:45
2

For Puppet 4+ use the following commands to change the accepted dns names for the puppetserver certificate:

Rename existing certificates to *.backup:

mv /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem{,.backup}
mv /etc/puppetlabs/puppet/ssl/ca/signed/$(hostname -f).pem{,.backup}
mv /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem{,.backup}

generate new certificate (add your desired alt names):

puppet cert generate $(hostname -f) --dns_alt_names=$(hostname -f),puppet

restart puppetserver to use new certificates

service puppetserver restart
phiphi
  • 131
  • 2
1
quanta
  • 51,413
  • 19
  • 159
  • 217
  • sorry for not accepting this answer, i had a translation problem with "colon" so the other answer helped me out by simply showing me the right char :) but thank you for your answer – c33s Oct 10 '11 at 14:09
0

I'm not sure about whether Greg Bray's answer works - but this one is ripped straight from the current documentation:

dns_alt_names — A list of hostnames the server is allowed to use when acting as a primary server. The hostname your agents use in their server setting must be included in either this setting or the primary server’s certname setting. Note that this setting is only used when initially generating the primary server’s certificate — if you need to change the DNS names, you must:

Turn off the Puppet Server service (or your Rack server).

Run: sudo puppetserver ca clean <SERVER'S CERTNAME>

Run: sudo puppetserver ca generate <SERVER'S CERTNAME> --dns-alt-names <ALT NAME 1>,<ALT NAME 2>,...

Re-start the Puppet Server service.

рüффп
  • 620
  • 1
  • 11
  • 25
AndrewL
  • 191
  • 4
0

Since Puppet 6 the command puppet cert is no longer available, this was only available up to Puppet 5.x. To create a new certificate for the Puppet server (with multiple hostnames or FQDNs), you have to do the following since Puppet 6:

  1. if the Puppet server is still running, stop it
    systemctl stop puppetserver.service

  2. delete existing old certificate files
    To prevent a problem case, the old certificate files can also just be moved or renamed.

    1. delete the three files in puppet/ssl
      rm /etc/puppetlabs/puppet/ssl/{certs,private_keys,public_keys}/$(hostname -f).pem
    2. delete the signed cert from ca in puppetserver/ca
      rm /etc/puppetlabs/puppetserver/ca/signed/$(hostname -f).pem

  3. create a new certificate for the Puppet server
    puppetserver ca generate --certname $(hostname -f) --subject-alt-names $(hostname -f),<alt_name_1>,<alt_name_2> --ca-client --force

    Parameters of puppetserver ca generate command:

    • --certname $(hostname -f): use the servers FQDN as certificate's common name (cn)
      You can manually enter a name, e.g. if you plan to rename the server in the future, and enter the current FQDN as Subject Alt Name.
    • --subject-alt-names $(hostname -f),<alt_name_1>,<alt_name_2>: List of hostnames, comma separated
    • --ca-client: Whether this cert will be used to request CA actions. Causes the cert to be generated offline.
    • --force: Suppress errors when signing cert offline. To be used with '--ca-client'

  4. start Puppet Server again
    systemctl start puppetserver.service

Some Notes

  • There is a puppetserver ca clean command, but it requires a running and functioning Puppet server. The method described here (with manual deletion of the certificate files) works without a running Puppet server.

  • Using multiple hostnames at --subject-alt-names, the Puppet agents can validly contact the Puppet Server with all these hostnames.

    If the Puppet server is contacted with a hostname that is not listed in the certificate as --subject-alt-names or --certname, you get an error message as follows:

    Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=your_puppet_server_cert_cn]

Links

phanaz
  • 360
  • 2
  • 9
0

According to

puppet agent --genconfig

you must use a colon-separated (":" not ";") list.

So it should be 

certdnsnames = 'puppet:puppet.local:myname.dyndns.org:hivemind.local'

HTH

cyberkov
  • 49
  • 1
  • 1
  • 4
0

To add a SAN entry to the puppet server cert use:

systemctl stop puppetserver
puppetserver ca setup --subject-alt-names $(hostname -f),puppet
systemctl start puppetserver

may need to clear out existing certs via rm -rf $(puppet master --configprint ssldir) as well

Greg Bray
  • 5,610
  • 5
  • 36
  • 53