Hello there, Since the update with ruby all my puppet function is dead (well known issue with the cert) . There has been some discutions on the dev list on how to patch this for future versions. I have read the list and wondered how we can solve the issue while waiting for the .24. I am in beta test of the .23.x version but on my production system i wanted to find a way to solve this now on my version (0.22.4). Do any of you have an idea on how to solve this ? - Can i recreate a server certificate (and how) without affecting the whole ? - Must i patch my .22.4 puppetmaster ? (with what ?) - Must i patch all my clients ? (with what ?) Is anyone able to tell me how to solve this , i am a little confused at the moment to which direction i need to go :) -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
ADNET Ghislain wrote:> Hello there, > > Since the update with ruby all my puppet function is dead (well known > issue with the cert) . There has been some discutions on the dev list > on how to patch this for future versions. I have read the list and > wondered how we can solve the issue while waiting for the .24. I am in > beta test of the .23.x version but on my production system i wanted to > find a way to solve this now on my version (0.22.4).David Lutterkort posted a workaround for this issue that worked for me: http://mail.madstop.com/pipermail/puppet-users/2007-October/004703.html
On Nov 28, 2007, at 4:34 AM, ADNET Ghislain wrote:> Hello there, > > Since the update with ruby all my puppet function is dead (well > known issue with the cert) . There has been some discutions on the > dev list on how to patch this for future versions. I have read the > list and wondered how we can solve the issue while waiting for the . > 24. I am in beta test of the .23.x version but on my production > system i wanted to find a way to solve this now on my version > (0.22.4). > > Do any of you have an idea on how to solve this ? > > - Can i recreate a server certificate (and how) without affecting > the whole ? > - Must i patch my .22.4 puppetmaster ? (with what ?) > - Must i patch all my clients ? (with what ?) > > Is anyone able to tell me how to solve this , i am a little > confused at the moment to which direction i need to go :)See the very long chain of comments on the bug ticket: http://reductivelabs.com/trac/puppet/ticket/896 -- Charm is a way of getting the answer yes without asking a clear question. -- Albert Camus --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Nov 28, 2007, at 12:20 PM, Luke Kanies wrote:> See the very long chain of comments on the bug ticket: > > http://reductivelabs.com/trac/puppet/ticket/896Also http://reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006 It''s probably best to make sure your server certificate has the server''s fully qualified domain name in the CN field, and then use the fqdn in the --server configuration option on all of the clients. Cheers, -- Jeff McCune Systems Manager The Ohio State University Department of Mathematics
>> See the very long chain of comments on the bug ticket: >> >> http://reductivelabs.com/trac/puppet/ticket/896 >> > > > Also http://reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006 > > It''s probably best to make sure your server certificate has the > server''s fully qualified domain name in the CN field, and then use the > fqdn in the --server configuration option on all of the clients. > > Cheers, >yes thanks a lot. I am working to settle all this with the server=... parameters. It should work. This seems simple it seems to solve. I still have some issue on some recipe that fails but the base connexion at least works :) -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
Jeff McCune wrote:> It''s probably best to make sure your server certificate has the > server''s fully qualified domain name in the CN field, and then use the > fqdn in the --server configuration option on all of the clients. > >It really should support definition of a cname that is accepted in the SSL transaction. If this can be done now with the technique discussed recently (set certname in the puppetmasterd section), that seems fine to me -- then I can set it to puppet.mydomain.com and make sure all the clients use that name. If I use the real fqdn and want to move puppetmaster later, that''s a lot of work on the clients later. Regards, Mark -- Mark D. Nagel, CCIE #3177 <mnagel@willingminds.com> Principal Consultant, Willing Minds LLC (http://www.willingminds.com) cell: 949-279-5817, desk: 714-630-4772, fax: 949-623-9854 *** Please send support requests to support@willingminds.com! ***
Mark D. Nagel wrote:> It really should support definition of a cname that is accepted in the > SSL transaction. If this can be done now with the technique discussed > recently (set certname in the puppetmasterd section), that seems fine to > me -- then I can set it to puppet.mydomain.com and make sure all the > clients use that name. If I use the real fqdn and want to moveThis is precisely what I''m doing here. I have a CNAME which is used for nothing else but identifying the puppet server, and point all my clients at that CNAME. -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC