Setting up puppetmaster: hostname was not match with the server certificate

Question

I am new to setting up Puppet and Puppetmaster... We have puppets setup previously, and new new puppetmaster...

3rd edit

After deleting the ssl files on both master(ghive-ldap) and client (giab10)

The hostname for master is ghive-ldap and in client's hostname I have that.

On master:

puppet cert clean ghive-ldap
puppet cert generate --dns_alt_names ghive-ldap ghive-ldap


sudo puppetca --sign giab10
err: Could not call sign: Could not find certificate request for giab10

so then on the client:

sudo puppet cert --generate giab10
notice: giab10 has a waiting certificate request
notice: Signed certificate request for giab10
notice: Removing file Puppet::SSL::CertificateRequest giab10 at '/var/lib/puppet/ssl/ca/requests/giab10.pem'
notice: Removing file Puppet::SSL::CertificateRequest giab10 at '/var/lib/puppet/ssl/certificate_requests/giab10.pem'
giabadmin@giab10:~$ sudo puppet cert --list --all
+ giab10 (0F:CB:............)

I ran this on the client

sudo puppetd --test --debug
.....
err: Could not retrieve catalog from remote server: getaddrinfo: Name or service not know

Fine... let me try this on the client

sudo puppet agent --server ghive-ldap --waitforcert 60 --test --verbose
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

Garrrrr..... I deleted the ssl files and still no luck!! Something must have gone wrong...

How do I start from the beginning? I didn't much help from the documentation...Sorry for being a noob.. Thanks

PS: Also, how do you make sure the two servers have time in sync?

arjarj · Accepted Answer · 2012-06-14T16:44:34.113

1

Which hostname(s) did the puppetmaster generate its certificate for? The puppet client expects the certificate to be valid for "puppetmaster", but it doesn't seem to be issued for this hostname. I think "puppet" might be the default CN on the puppetmaster, or else the hostname of the server. You can check it by running "openssl x509 -text -in cert.pem" on the certificate of the server, or connect to https://yourpuppetmaster:8140/ with a browser, and see which domains are in the CN and dns_alt_names of the certificate.

EDIT

You have a certificate only for "master", but your client connects to "puppetmaster". So either the client needs to expect "master", or you need a certificate for "puppetmaster" on your master. A "certname=puppetmaster" in the [master] block in puppet.conf will change the CN on the server (http://docs.puppetlabs.com/references/stable/configuration.html#certname). You may need to remove the old certificates, but I am not sure about this. Or, you can have the client connect to "master", either by adding it to /etc/hosts, or to your DNS zone if you're running one.

edited Jun 14 '12 at 16:44

answered Jun 13 '12 at 22:05

arjarj

3,101
1
17
10

1

Thanks,. I've updated my post above. Do they seem to do something weird? – CppLearner Jun 13 '12 at 23:50
You're connecting to "puppetmaster", but the puppetmaster only has a certificate it can use for "master". – arjarj Jun 14 '12 at 16:38
Thanks. Question... if the hostname for the master is not `puppetmaster`, should I just go back to `/etc/hosts` and put the actual hostname there? Will that make more sense? THanks – CppLearner Jun 14 '12 at 17:02
It's a matter of preference I guess. I am usually hesitant to mess with the certificate stuff, so I'd just stick the hostname in /etc/hosts or DNS and be done with it. If you plan on growing to a lot more hosts and want to use the hostname you picked, I'd investigate the certname or dns_alt_names options. – arjarj Jun 14 '12 at 17:17
Thanks. Just a quick question... sorry for being a noob. I would like start the whole certificate over. Where should I begin starting over? I deleted `/var/lib/puppets/ssl/` and `/etc/puppets/ssl` on both master and clinet... assuming that putting the actual hostname in `/etc/hosts` will make things smoother – CppLearner Jun 14 '12 at 17:21
Clearing /var/lib/puppet/ssl should be sufficient yes. I don't think changing /etc/hosts on the master will be helpful. Changing /etc/hosts would be on the client, to match the hostname you connect to with the certificate of the server. You can change the hostname of the server (often /etc/hostname, after you change it reboot or use the hostname command), or change the name puppet creates the certificate for with the certname option: http://docs.puppetlabs.com/references/2.7.9/configuration.html#certname – arjarj Jun 14 '12 at 17:25
Thanks... I edited my post. I would like to ask for guidance on starting over from the beginning.... it seems like I am creating a big mess here. If you can help it would be really great. Thanks in advance. – CppLearner Jun 14 '12 at 18:34
Did you check your error on http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security ? Also, you can sync the time with ntp, just point both servers to a valid ntp server, most likely your distro will come preconfigured with some. – arjarj Jun 14 '12 at 18:50

Setting up puppetmaster: hostname was not match with the server certificate

1 Answers1