This is a little hairy. I''m trying to do something that i
don''t think
should be too hard, but i simply can''t figure out how to get SSL not to
choke on it.
What i want: i have a puppetmasterd and a puppetd, both running on the
same host. I want the puppetmaster to run its config out of a
non-standard directory, used only for puppetmastery things, and for
the client to use a standard directory (or a different nonstandard one,
doesn''t matter to me), and keep its cached/client config entirely
separate
from the puppetmaster''s.
The goal of that is, if i moved the puppetmaster to another machine,
i''d want to just be able to rsync the puppetmaster''s confdir,
repoint
the puppet CNAME, and be done, without any clients being any the wiser.
So far so good. I was running puppet-0.22.4 (both client and server),
and this was working fine. But i had to upgrade to catch an unrelated
year-old bugfix which is important for my setup. So, now i''m trying
puppet-0.24.4, and seeing a lot of problems, mostly revolving around
the dread certificate error:
err: Could not retrieve catalog: Certificates were not trusted: hostname was
not match
Specifics about my setup, and what i know:
* I have configured puppetmaster with:
[puppetmasterd]
certname = puppet.example.com
* Puppetmaster is successfully creating certificates, private keys,
csrs, etc, with the name puppet.example.com.pem
* If i do:
# puppetd --test --waitforcert 60
# puppetca --confdir <altconf> --sign realhostname.example.com
then i do, in fact, wind up with a file
<altconf>/ssl/ca/signed/realhostname.example.com.pem
which seems good.
* However, if i then run the client again, i get the "hostname was not
match" error. Also, if i''m running puppetmasterd with --debug,
i see
no output at this point, and tcpdump sees nothing hitting port 8140.
I think what this means is that the puppet client is determining that
its own hostname doesn''t match what it expects, and refusing to try
to contact the server. But that''s a guess, obviously.
So, i''ve been doing a bit of source diving, but i don''t know
ruby.
My hypothesis is that the client is somehow determining that it is
also the server, and therefore trying to find a certificate under
the name puppet.example.com, rather than under its own name. But i
have no evidence for that, and i tried copying all of the various
puppet.example.com.pem files into /var/lib/puppet/ssl in what i think
are the right places, and the error did not change.
Anyone have any thoughts about this at all? I''d prefer workarounds
involving manually copying certs or invoking the client with different
flags to workarounds involving making the client use the server''s
ssldir.
And i''d most of all prefer getting puppet to treat puppetd as a
separate
entity from puppetmasterd, which, as noted, worked fine in 0.22.4.
But, at this point, i''d mostly just like to get this working again at
all without having to downgrade to 0.22.4.
Thanks in advance.
Chaos
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---