Puppet users - Apr 2008 - Using puppet on a private network?

Hi we are getting ready to deploy Puppet on our network.  Our managed
servers/VPSes are multi-homed (ie a public and private network) the
uname -a of the server is associated with public name (in our case
empoweringmedia.net) and not the private network name. This causes a
host name mismatch with puppet.

My question can puppet clients create certs for the internal network
side and then send this to the puppetmaster, which only listens on the
private network?

I would prefer NOT to have puppetd and puppetmasterd on the public
side of our network.  Even though SSL is pretty security there is no
reason in our case to keep it on the public side.

If this feature isn''t possible, can I suggest this in a future
version.

Thanks..

--
Larry Ludwig
HostCube - Managed and Unmanaged Xen VPes
http://www.hostcube.com/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

in the client side ,you can set the sertname to private name.  in the
server side, you can set the bindaddress to private network address.

On Apr 8, 7:43 am, Larry Ludwig <larry...@gmail.com>
wrote:
> Hi we are getting ready to deploy Puppet on our network.  Our managed
> servers/VPSes are multi-homed (ie a public and private network) the
> uname -a of the server is associated with public name (in our case
> empoweringmedia.net) and not the private network name. This causes a
> host name mismatch with puppet.
>
> My question can puppet clients create certs for the internal network
> side and then send this to the puppetmaster, which only listens on the
> private network?
>
> I would prefer NOT to have puppetd and puppetmasterd on the public
> side of our network.  Even though SSL is pretty security there is no
> reason in our case to keep it on the public side.
>
> If this feature isn''t possible, can I suggest this in a future
> version.
>
> Thanks..
>
> --
> Larry Ludwig
> HostCube - Managed and Unmanaged Xen VPeshttp://www.hostcube.com/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 08 April 2008, huangmingyou wrote:
> in the client side ,you can set the sertname to private name.  in the
> server side, you can set the bindaddress to private network address.
Exactly. certname is spelled with a ''c'' in front though.

Formore Information, look at the 
http://reductivelabs.com/trac/puppet/wiki/ConfigurationReference

Regards, DavidS
>
> On Apr 8, 7:43 am, Larry Ludwig <larry...@gmail.com> wrote:
> > Hi we are getting ready to deploy Puppet on our network.  Our managed
> > servers/VPSes are multi-homed (ie a public and private network) the
> > uname -a of the server is associated with public name (in our case
> > empoweringmedia.net) and not the private network name. This causes a
> > host name mismatch with puppet.
> >
> > My question can puppet clients create certs for the internal network
> > side and then send this to the puppetmaster, which only listens on the
> > private network?
> >
> > I would prefer NOT to have puppetd and puppetmasterd on the public
> > side of our network.  Even though SSL is pretty security there is no
> > reason in our case to keep it on the public side.
> >
> > If this feature isn''t possible, can I suggest this in a
future
> > version.
> >
> > Thanks..
> >
> > --
> > Larry Ludwig
> > HostCube - Managed and Unmanaged Xen VPeshttp://www.hostcube.com/
>
> 

- -- 
The primary freedom of open source is not the freedom from cost, but the free-
dom to shape software to do what you want. This freedom is /never/ exercised
without cost, but is available /at all/ only by accepting the very different
costs associated with open source, costs not in money, but in time and effort.
- -- http://www.schierer.org/~luke/log/20070710-1129/on-forks-and-forking
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH+xDw/Pp1N6Uzh0URAgL5AJ9z3pP7u+5Wd1z3c2Ypq4DhUKBX1gCdGqCC
1v+JxCDwxoGMBU3/r3ZPusk=YWok
-----END PGP SIGNATURE-----

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

> Exactly. certname is spelled with a ''c'' in front though.
>
So you set this name in puppetd config BEFORE your start (which
creates the cert)?


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Also, you can set up an administrative VLAN with split DNS which
should solve your problems.

Just bind your Xen interfaces to the appropriate VLAN and away you go.

Not out of band, but technically private.

Trevor

On Tue, Apr 8, 2008 at 8:36 AM, Larry Ludwig <larrylud@gmail.com>
wrote:
>
>
>  > Exactly. certname is spelled with a ''c'' in front
though.
>  >
>
>  So you set this name in puppetd config BEFORE your start (which
>  creates the cert)?
>
>
>
>
>  >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Tue, Apr 8, 2008 at 5:36 AM, Larry Ludwig <larrylud@gmail.com> wrote:
>
>
> > Exactly. certname is spelled with a ''c'' in front
though.
> >
>
> So you set this name in puppetd config BEFORE your start (which
> creates the cert)?

Yes.

There''s no necessary relationship between certname and hostname on the
client though.

We use UUIDs for our certnames.



-- 
Nigel Kersten
Systems Administrator
MacOps

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Ok thanks.

On Apr 10, 4:29 pm, "Nigel Kersten" <nig...@google.com>
wrote:
> On Tue, Apr 8, 2008 at 5:36 AM, Larry Ludwig <larry...@gmail.com>
wrote:
>
> > > Exactly. certname is spelled with a ''c'' in
front though.
>
> > So you set this name in puppetd config BEFORE your start (which
> > creates the cert)?
>
> Yes.
>
> There''s no necessary relationship between certname and hostname on
the
> client though.
>
> We use UUIDs for our certnames.
>
> --
> Nigel Kersten
> Systems Administrator
> MacOps
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Sorry to be a pain about this... I actualy set this up per
instructions

I still get:

Apr 11 14:25:16 devcentos46 puppetd[19317]: Could not retrieve
catalog: Certificates were not trusted: certificate verify failed

I have the certname= node.privatename

set to the private network.

on the puppetmaster I have:

bindaddress=puppet.privatename
certname=puppet.privatename

a netstat -anp shows it''s listening on the proper IP address/port.

what am I doing wrong?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

fixed it:

either deleting
/var/lib/puppet/ssl folder

or in [puppetd] adding:
bindaddress=node.privatename


On Apr 11, 2:28 pm, Larry Ludwig <larry...@gmail.com>
wrote:
> Sorry to be a pain about this... I actualy set this up per
> instructions
>
> I still get:
>
> Apr 11 14:25:16 devcentos46 puppetd[19317]: Could not retrieve
> catalog: Certificates were not trusted: certificate verify failed
>
> I have the certname= node.privatename
>
> set to the private network.
>
> on the puppetmaster I have:
>
> bindaddress=puppet.privatename
> certname=puppet.privatename
>
> a netstat -anp shows it''s listening on the proper IP address/port.
>
> what am I doing wrong?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---