AWS - ELB - Puppet - Must not contain unprintable characters

Question

I am setting up a miscellaneous server cluster behind an internal AWS ELB which will serve NTP, centralized Rsyslog, and Puppetmaster. I configured the listener on the ELB to use https (8140) which required a certificate, so I used aws cli to upload the certs, and they uploaded fine:

"ServerCertificateMetadata": {
    "ServerCertificateId": "SOMEID",
    "ServerCertificateName": "wildcard_example_com",
    "Expiration": "2016-09-14T23:59:59Z",
    "Path": "/",
    "Arn": "arn:aws:iam::1234:server-certificate/wildcard_example_com",
    "UploadDate": "2015-10-21T13:46:22.844Z"
}

But now when I try to run puppet against a node I keep getting these errors:

Could not retrieve catalog from remote server: Certname "/ou=domain control validated/ou=positivessl wildcard*.example.com" must not contain unprintable or non-ASCII characters

The .crt and .key files were uploaded as is, which I assume was already in PEM format, b/c when I view them they have the following:

# server.key
-----BEGIN PRIVATE KEY-----
<key string here>
-----END PRIVATE KEY-----

# server.crt
-----BEGIN CERTIFICATE-----
<crt string here>
-----END CERTIFICATE-----

If I add 127.0.0.1 puppetmaster to the /etc/hosts file (circumventing the ELB) then puppet runs fine. What am I missing?

Versions:

CentOS: 6.7
Puppetmaster: 2.7.26

score 0 · Accepted Answer · answered Oct 21 '15 at 16:56

0

You shouldn't need to use SSL-offload on the ELB - you can just use standard port passthrough and leave everything as-is.

e.g. Traffic on TCP port 8140 traffic on the ELB is forwarded to port 8140 on the Puppet master.

answered Oct 21 '15 at 16:56

Craig Watson

9,575
3
32
47

Ahhh so don't even use https? Ya it works fine as TCP. – Mike Purcell Oct 21 '15 at 17:15
Yep I know how this works – Mike Purcell Oct 21 '15 at 20:40

AWS - ELB - Puppet - Must not contain unprintable characters

1 Answers1