Puppet users - Jul 2008 - Certs and NAT and such

I would like to use Puppet to update various remote machines
automatically.

Some of these machines are on the other side of cable modems on local
networks. An extreme example would be in a hotel room, but a normal
example would be somebody''s "home office".

Leaving the hotel scenario aside (but it would be nice if I could make
it work), when the remote machine would try to connect puppetmaster
would fail because the reverse lookup while verifying a cert would
fail. The reverse lookup wold resolve to the ISP and not the remote
machines name.

I got around this by putting the address of the remote machines cable
modem in /etc/hosts with the machine name Facter generated.

Now the remote machine doesn''t even manage to connect because it it
says: `connect'': certificate verify failed (OpenSSL::SSL::SSLError)

Is there a how-to for setting up this kind of scenario? Is it even
possible??



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Of course, just asking the question brought the solution to light.

I had run puppetd on the remote client before setting up the remote
client''s machine name in the server''s /etc/hosts file so it
never
asked for an updated one.

So, I scrubbed all the certs out of the client, tried again. Got the
signing request on the server, signed the cert and now everything is
working.

So to sum it up. To talk to a remote client on the other side of a
cable modem (or equivalent).

1) Set the client up with a machine and domain name.
2) Run facter on the client to make sure the the machine name you
think will get reported is correct.
3) Add that machine name and the IP address of the cable modem to the
servers /etc/hosts file and reload the server''s DNS process to make
sure it is seen. (If needed - only the servers sysop knows for sure).
3) Run puppetd on the client FOR THE FIRST TIME.
4) Use puppetca on the server to sign the client''s cert.
5) Run puppetd on the client as normal.

At least it worked for me.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---