Hi,
I''m trying to get puppetmasterd and puppetd to communicate properly
with
each other but there seems to be a problem with how puppet determines the
hostname of the machine. Both daemons run on the same machine with the
hostname "nexus" but when I start puppetmasterd with
"puppetmasterd -v -d"
I get the following output:
...
info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/nexus..pem
info: Creating a new certificate request for nexus.
info: Requesting certificate
info: Autosign is enabled but /etc/puppet/autosign.conf is missing
info: Signing certificate for CA server
info: Signing certificate for nexus.
...
Notice the extra period in the hostname "nexus.". When I now try to
connect
with puppetd using "puppetd --server 127.0.0.1 -t -d" I get the
following
output on client and server:
CLIENT: err: Could not retrieve configuration: Could not find nexus. with
names nexus., nexus.
SERVER: err: Could not find nexus. with names nexus., nexus.
Checking the masterhttp.log reveals that the issuer for the certificate
seems to be correct ("Issuer: CN=nexus") but the subject
isn''t "Subject:
CN=nexus.". Again the additional period.
When I start puppetmasterd with "puppetmasterd -d -t --node_name fact"
the
client can connect and retrieve the configuration from the server so the
hostname in the certificate really seems to be the problem here.
Am I doing something wrong or is this a bug in puppet? I''m trying all
of
this on Fedora Core rawhide system using the version 0.22.1 packages from
the Extras repository.
Regards,
Dennis
On Sun, Feb 25, 2007 at 05:12:25AM +0100, Dennis Jacobfeuerborn wrote:> info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/nexus..pemYou don''t have a Domain name for your host. Puppet doesn''t like that. Give it a hostname (even if it''s just ''localdomain'' or something).> When I start puppetmasterd with "puppetmasterd -d -t --node_name fact" the > client can connect and retrieve the configuration from the server so the > hostname in the certificate really seems to be the problem here.My rule of thumb for cert problems is to blow it all away and start again. - Matt
Matthew Palmer wrote:> On Sun, Feb 25, 2007 at 05:12:25AM +0100, Dennis Jacobfeuerborn wrote: >> info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/nexus..pem > > You don''t have a Domain name for your host. Puppet doesn''t like that. Give > it a hostname (even if it''s just ''localdomain'' or something).This should be considered as a serious bug. Many installations only ask for a machine name and "nexus" is a perfectly legal hostname. Even if there was a fundamental reason for Puppet not to be able to deal with this (and I can''t think of one) it should give an error telling the user that it encountered a setup it cannot deal with. "nexus." is bogus because it''s a hostname completely made up in Puppets mind.>> When I start puppetmasterd with "puppetmasterd -d -t --node_name fact" the >> client can connect and retrieve the configuration from the server so the >> hostname in the certificate really seems to be the problem here. > > My rule of thumb for cert problems is to blow it all away and start again.That''s what I''m doing of course but as long as Puppet comes up with the completely incorrect hostname "nexus." it always sets up the new certificate wrong. By the way this machine also has other aliases such as "localhost" and "localhost.localdomain" so I think Puppet should do one of three things: a) Try the first hostname it can get and fail if this name isn''t usable. b) If the first hostname isn''t usable it could try to find alternatives that are. c) It should be able to deal with all valid hostnames. I think c) is clearly the preferable option here beeing the one used by every other application out there. Regards, Dennis
Ok, I took a look at the source and patched three files which seem to solve the problem for now. The patches are trivial and merely check if a domain part actually exists before trying to append it to the host part. Since I''m new to ruby these patches might not exhibit the best way to do this but they work so there you go... :) Regards, Dennis _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Feb 25, 2007, at 5:54 PM, Dennis Jacobfeuerborn wrote:> Ok, I took a look at the source and patched three files which seem > to solve the problem for now. The patches are trivial and merely > check if a domain part actually exists before trying to append it > to the host part. Since I''m new to ruby these patches might not > exhibit the best way to do this but they work so there you go... :)I''ll apply this patch or some facsimile thereof when I get back to the States. Thanks. -- Hoare''s Law of Large Problems: Inside every large problem is a small problem struggling to get out. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Feb 25, 2007, at 10:54 AM, Dennis Jacobfeuerborn wrote:> Ok, I took a look at the source and patched three files which seem > to solve the problem for now. The patches are trivial and merely > check if a domain part actually exists before trying to append it > to the host part. Since I''m new to ruby these patches might not > exhibit the best way to do this but they work so there you go... :)Thanks; committed to svn. -- God loved the birds and invented trees. Man loved the birds and invented cages. -- Jacques Deval --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com