Hi running 0.24.4 (from dlutters repo) today I tried to setup a puppetmaster which should be accessible on different domainnames (due to that different networks should be served). I set certname=puppet.domain.tdl dnscertnames=puppet.domain.tdl:puppeti.domain.tdl:puppet.domain2.tdl:puppeti.domain2.tdl However the cert and ca which is created after emptying the ssl folder and starting then the puppetmaster contains only the domain from certname (so puppet.domain.tdl) and the fqdn of the host (which isn''t mentioned anywhere in the configuration) I verified this by using openssl s_client -connect localhost:8140 after starting the puppetmaster: --- CONNECTED(00000003) depth=1 /CN=$fqdn verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=puppet.domain.tdl i:/CN=$fqdn 1 s:/CN=$fqdn i:/CN=$fqdn --- Server certificate [...] --- I debuged a bit into the puppet code and could verify that the dnscertnames are merged into the subject_alt_name variable in the sslcertificate.rb file and this goes into the cert which returned by mkcrt. So in my opinion this should be right. However as stated above the cert doesn''t have these included, however the fqdn is included. So is a) the code broken (should i file a ticket?), b) the documentation broken? (same question) or c) am I wrong? If somebody could help me a bit about the whole cert stuff in puppet I could work me a bit into it and try to fix it. However after leaving the mkcert funtion I''m a bit lost how to debug it further. That the puppetmaster should have more than one certnames is quite important for the setup I''m planning here. thanks for your answers and greetes pete --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Hi> so is a) the code broken (should i file a ticket?), b) the > documentation broken? (same question) or c) am I wrong?c) !!! hmm rather strange. I looked once a again a bit at it then found out that with: openssl x509 -noout -text -in certs/puppet.domain.tdl I see the subject alt names. and then it finally worked. Dunno what was exactly the problem. :-/ sorry for buging you and greets pete --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 1, 2008, at 3:19 PM, Peter Meier wrote:> > Hi > >> so is a) the code broken (should i file a ticket?), b) the >> documentation broken? (same question) or c) am I wrong? > > c) !!! > > hmm rather strange. I looked once a again a bit at it then found out > that with: > > openssl x509 -noout -text -in certs/puppet.domain.tdl > > I see the subject alt names. and then it finally worked. Dunno what > was > exactly the problem. :-/ > > sorry for buging you and greets peteDunno why it suddenly started working, but note that puppetca recently acquired a ''--print'' option that will display the same text as above for a given cert. -- There is no expedient to which a man will not go to avoid the labor of thinking. --Thomas A. Edison --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
When I run the command you suggest, I get:
/usr/sbin/puppetca:290: undefined method `to_text'' for nil:NilClass
(NoMethodError)
from /usr/sbin/puppetca:288:in `each''
from /usr/sbin/puppetca:288
This is 0.24.4-2.
Cheers,
--
Jean-Baptiste Quenot
http://caraldi.com/jbq/blog/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
On Apr 11, 2008, at 10:43 AM, Jean-Baptiste Quenot wrote:> When I run the command you suggest, I get: > > /usr/sbin/puppetca:290: undefined method `to_text'' for nil:NilClass > (NoMethodError) > from /usr/sbin/puppetca:288:in `each'' > from /usr/sbin/puppetca:288 > > This is 0.24.4-2.Huh. I guess I haven''t looked at it since we went through all the ssl stuff a few months ago. Can anyone else reproduce this? -- I think that all good, right thinking people in this country are sick and tired of being told that all good, right thinking people in this country are fed up with being told that all good, right thinking people in this country are fed up with being sick and tired. I''m certainly not, and I''m sick and tired of being told that I am. -- Monty Python --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---