Puppet users - Nov 2011 - Issue with server certificates

I''ve spent most time than I care to admit to trying to setup Puppet in
our
production environment.  I had previously tested it out and gotten it to
work and now I cannot for some reason.  I am attempting to get Puppet
server (with passenger on Apache2) up and running under Ubuntu 11.10
(client too).

== Server Side =# puppet cert --list
  monitor-1.site.toplevel.tld
(51:21:C7:52:05:C5:70:0B:9F:7C:7A:65:D1:22:34:DC)
# puppet cert --sign monitor-1.site.toplevel.tld
notice: Signed certificate request for monitor-1.site.toplevel.tld
notice: Removing file Puppet::SSL::CertificateRequest
monitor-1.site.toplevel.tld at
''/var/lib/puppet/ssl/ca/requests/monitor-1.site.toplevel.tld.pem''

( Full server side puppet.conf: http://pastebin.com/e8qtWNpi )

== Client Side =# puppet agent --waitforcert 60 --test
info: Creating a new SSL key for monitor-1.site.toplevel.tld
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
info: Creating a new SSL certificate request for monitor-1.site.toplevel.tld
info: Certificate Request fingerprint (md5): 51:xx:xx:xx:xx:xx:xx:DC
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for monitor-1.site.toplevel.tld
err: Could not retrieve catalog from remote server: hostname was not match
with the server certificate
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: hostname was not match with the server
certificate

( Full debug text: http://pastebin.com/gFhFfF7p )

== I dont get it =I can ping `puppet` and it works (it is a CNAME to
puppet-1.site.toplevel.tld which is the servers name). On the puppet server
I have "certname=puppet.site.toplevel.tld" set.  I''ve
regenerated the
servers certificates and I can goto
https://puppet.site.toplevel.tld:8140/and the certificate says that
it''s the same domain name.  I can even pull
out the certs from the client machine and they all match the names. 
I''m
totally at a loss and I could really use some help.

-- 
Jon
[[User:ShakataGaNai]] / KJ6FNQ
http://snowulf.com/
http://www.linkedin.com/in/shakataganai

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

Try passing the ''--server puppet.domainname'' on your puppet
agent command. It may not be set on your host.

Cheers,
Den

On 09/11/2011, at 18:18, Jon Davis <jon@snowulf.com> wrote:
> I''ve spent most time than I care to admit to trying to setup
Puppet in our production environment.  I had previously tested it out and gotten
it to work and now I cannot for some reason.  I am attempting to get Puppet
server (with passenger on Apache2) up and running under Ubuntu 11.10 (client
too).
> 
> == Server Side => # puppet cert --list
>   monitor-1.site.toplevel.tld
(51:21:C7:52:05:C5:70:0B:9F:7C:7A:65:D1:22:34:DC)
> # puppet cert --sign monitor-1.site.toplevel.tld
> notice: Signed certificate request for monitor-1.site.toplevel.tld
> notice: Removing file Puppet::SSL::CertificateRequest
monitor-1.site.toplevel.tld at
''/var/lib/puppet/ssl/ca/requests/monitor-1.site.toplevel.tld.pem''
> 
> ( Full server side puppet.conf: http://pastebin.com/e8qtWNpi )
> 
> == Client Side => # puppet agent --waitforcert 60 --test
> info: Creating a new SSL key for monitor-1.site.toplevel.tld
> warning: peer certificate won''t be verified in this SSL session
> info: Caching certificate for ca
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> info: Creating a new SSL certificate request for
monitor-1.site.toplevel.tld
> info: Certificate Request fingerprint (md5): 51:xx:xx:xx:xx:xx:xx:DC
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> info: Caching certificate for monitor-1.site.toplevel.tld
> err: Could not retrieve catalog from remote server: hostname was not match
with the server certificate
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
> err: Could not send report: hostname was not match with the server
certificate
> 
> ( Full debug text: http://pastebin.com/gFhFfF7p )
> 
> == I dont get it => I can ping `puppet` and it works (it is a CNAME to
puppet-1.site.toplevel.tld which is the servers name). On the puppet server I
have "certname=puppet.site.toplevel.tld" set.  I''ve
regenerated the servers certificates and I can goto
https://puppet.site.toplevel.tld:8140/ and the certificate says that
it''s the same domain name.  I can even pull out the certs from the
client machine and they all match the names.  I''m totally at a loss and
I could really use some help.
> 
> -- 
> Jon 
> [[User:ShakataGaNai]] / KJ6FNQ
> http://snowulf.com/
> http://www.linkedin.com/in/shakataganai
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.