Vince Taluskie
2011-Apr-14 21:56 UTC
[Puppet Users] ca cert issue when puppetmaster doesn''t reverse to puppet hostname
I wanted to test out running puppet under Passenger and setup a new puppetmaster (brm-up-puppet-2) box to test on. I was seeing some very odd error back from clients when testing: err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed with the help of some previous posters and the archive, I was able to find some helpful debugging commands and it appears that the cert generated when starting up the puppetmaster for the first time generates some X509v3 Subject Alternative Name sections with references to ''puppet'' & ''puppet.sitename.com'' as well, which actually reverses back to what is currently running as prod (brm-up-puppet-1) but not the new test puppetmaster (brm-up-puppet-2). Putting an alias in /etc/hosts on my clients reversing puppet to the brm-up- puppet-2 box eliminated the cert verify issues. I wanted to mention that and ask if that seems like the correct assumption in the behavior for puppetmaster startup and ca creation. Before beginning my test, I wiped out the /var/lib/puppet/ssl directory on the new test puppetmaster. How do others handle multiple puppetmasters and this behavior and/or transitions needed to swap out old WEBrick for Passenger with keeping cert management sane. Thanks, Vince openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/brm-up- puppet-2.sitename.com.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Puppet CA: brm-up-puppet-2.sitename.com Validity Not Before: Apr 13 21:40:39 2011 GMT Not After : Apr 11 21:40:39 2016 GMT Subject: CN=brm-up-puppet-2.sitename.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c5:78:d8:b4:4d:88:90:76:37:07:53:b3:b9:a1: cf:dd:62:81:e7:07:b6:1d:44:9c:66:1f:2c:75:0e: 6a:d4:2c:bb:96:da:42:82:64:2d:eb:38:a1:4f:38: 7c:fe:28:c4:a0:eb:5e:79:54:91:e7:39:62:dc:60: 2c:77:ae:9d:ab:c4:d7:de:d7:80:33:0f:05:d3:b8: f0:71:38:52:42:26:94:22:ea:12:13:73:e9:9c:49: 97:75:df:c4:d3:56:a7:ec:7e:7f:a7:09:8b:ac:6d: 0f:9e:0c:3f:ab:de:d5:ad:64:3c:27:f4:c5:7c:c9: 32:67:67:e1:97:12:10:fd:f5 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Comment: Puppet Ruby/OpenSSL Generated Certificate X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 06:96:73:3F:97:EE:B3:FC:43:DC:21:E8:D9:C9:C5:71:83:BB: 0B:00 X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection X509v3 Subject Alternative Name: DNS:puppet, DNS:brm-up-puppet-2.sitename.com, DNS:puppet.sitename.com Signature Algorithm: sha1WithRSAEncryption 53:64:d0:8a:e0:b8:76:04:b6:51:9a:3d:d0:ff:72:c9:2f:57: 8c:6a:6a:f4:ac:d8:56:20:02:bb:e0:1c:07:47:58:88:b0:68: 2a:56:70:70:62:ed:11:fb:a1:26:5a:e0:6c:5c:e7:75:a4:43: 8a:54:ce:16:02:ab:ab:06:7e:57:1d:6a:71:75:b3:2e:8b:20: f3:e6:c6:86:7e:d5:ee:fc:ed:35:7c:2d:da:3d:10:62:97:51: d3:ee:e3:4d:c3:79:35:3e:38:30:7e:d6:f2:b4:ab:46:5a:7f: 5a:82:05:20:c4:db:94:4c:40:76:5d:1e:3a:25:77:be:63:95: 55:00 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.