Hi, suppose puppet-old.domain is a CNAME pointing to puppet-new.domain, and puppet-new.domain is running Apache (for SSL) with mod_proxy_balancer to balance over some 10 puppetmaster processes. The configured SSLCertificateFile in Apache is that of puppet-new.domain How do I get a node to stop complaining when connecting to puppet-old.domain (ending up at puppet-new.domain through the CNAME)? node# puppetd --test --server=puppet-old.domain err: Could not retrieve catalog from remote server: hostname was not match with the server certificate warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I tried fiddling with certdnsnames on both the server side and the client side, but without effect. The reason I want this to work is because I want to be able to remove the puppet-old server without having to wait for every single node. There are dozens who haven''t connected to the puppet-old server in quite a while for various reasons (down, hanging puppetd, network issues, ...), and I''m sure most of them will after a reboot, but I''d like to redirect those to the puppet-new server without having to keep the puppet-old server running. Robert Scheer XS4ALL Systeembeheer -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Daniel Pittman
2011-Jan-18 18:52 UTC
Re: [Puppet Users] Failed SSL with CNAME''d puppetserver
On Tue, Jan 18, 2011 at 10:41, Robert Scheer <rj@xs4all.net> wrote:> Hi, suppose puppet-old.domain is a CNAME pointing to puppet-new.domain, > and puppet-new.domain is running Apache (for SSL) with mod_proxy_balancer > to balance over some 10 puppetmaster processes. The configured > SSLCertificateFile in Apache is that of puppet-new.domain > > How do I get a node to stop complaining when connecting to > puppet-old.domain (ending up at puppet-new.domain through the CNAME)?Did you generate a new server certificate for the new host, or reuse the certificate from the old host? My guess is the former, because doing the later would get the same complaint when machines connected to the new name. :) The trick you want is to generate a server certificate that includes both names in it, using the subject alternate names part of the certificate, to tell the client that it certifies both names as being valid for the same host. [...]> The reason I want this to work is because I want to be able to remove the > puppet-old server without having to wait for every single node. There are > dozens who haven''t connected to the puppet-old server in quite a while for > various reasons (down, hanging puppetd, network issues, ...), and I''m sure > most of them will after a reboot, but I''d like to redirect those to the > puppet-new server without having to keep the puppet-old server running.We don''t do anything extra-fancy with SSL to match the hostname or anything, so this is just regular old SSL troubles. Regards, Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman <daniel@rimspace.net> ✆ Contact me via gtalk, email, or phone: +1 (503) 893-2285 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jeff McCune
2011-Jan-18 18:57 UTC
Re: [Puppet Users] Failed SSL with CNAME''d puppetserver
On Tue, Jan 18, 2011 at 10:41 AM, Robert Scheer <rj@xs4all.net> wrote:> Hi, suppose puppet-old.domain is a CNAME pointing to puppet-new.domain, > and puppet-new.domain is running Apache (for SSL) with mod_proxy_balancer > to balance over some 10 puppetmaster processes. The configured > SSLCertificateFile in Apache is that of puppet-new.domain > > How do I get a node to stop complaining when connecting to > puppet-old.domain (ending up at puppet-new.domain through the CNAME)? > > node# puppetd --test --server=puppet-old.domain > err: Could not retrieve catalog from remote server: hostname was not match > with the server certificate > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping runI recommend issuing a new certificate for the Apache SSL server which contains both puppet-old.domain and puppet-new.domain in the x.509 alternate names field.> I tried fiddling with certdnsnames on both the server side and the client > side, but without effect.Certdnsnames is one way to do this. In Puppet 2.6 you can use the puppet cert command to easily create these certificates. On the Puppet CA: (My configuration directory is for testing, you''ll need to adjust this setting) puppet cert --confdir ~/.puppet/conf_test --certdnsnames puppet-old.domain:puppet-new.domain:puppet-old:puppet-new --generate puppet-new.domain puppet cert --confdir ~/.puppet/conf_test --print puppet-new.domain Subject: CN=puppet-new.domain ... X509v3 Subject Alternative Name: DNS:puppet-old.domain, DNS:puppet-new.domain, DNS:puppet-old, DNS:puppet-new, DNS:puppet-new.domain ... Please keep in mind this only issues a new SSL Server certificate, it uses the existing certificate authority so your Puppet agent systems will automatically trust this new certificate. Hope this helps, -- Jeff McCune http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Robert Scheer
2011-Jan-19 12:18 UTC
Re: [Puppet Users] Failed SSL with CNAME''d puppetserver
On Tue, Jan 18, 2011 at 10:57 -0800, Jeff McCune wrote:> puppet cert --confdir ~/.puppet/conf_test --certdnsnames > puppet-old.domain:puppet-new.domain:puppet-old:puppet-new --generate > puppet-new.domainThank you, this works! Robert Scheer -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.