Rob McBroom
2008-Oct-10 14:10 UTC
[Puppet Users] puppetmaster hostname sniffing on startup
Hello. I''m using the standard puppetmaster package under Debian etch (which seems to be 0.20.1). I''m wondering if the behavior I''m seeing is standard for puppetmaster, or if it''s specific to the Debian package (so I know who to complain to). The problem is that puppetmaster uses a cert based on the machine''s hostname. I would like the cert to contain the machine''s FQDN instead, since this is how the clients will connect and the names need to match for SSL negotiation to succeed. I thought I had gotten around this by temporarily setting the machine''s hostname to its FQDN and starting puppetmaster, then changing the hostname back, but it seems that puppetmaster re- evaluates the name every time it starts and generates/uses a new cert based on hostname if it doesn''t already have one, so it''s still using just the hostname in the cert. The clients could just use the hostname in theory, but the cert created based on hostname ends up containing "foo." instead of "foo", and there''s no way that will ever resolve on the client. Also, I''ve tried setting this in puppet.conf: [puppetmasterd] certname=foo.domain.tld But it doesn''t seem to do anything. So, how can I get puppetmaster to use the FQDN instead of the hostname? Thanks. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Peter Meier
2008-Oct-10 17:30 UTC
[Puppet Users] Re: puppetmaster hostname sniffing on startup
Hi> Hello. I''m using the standard puppetmaster package under Debian etch > (which seems to be 0.20.1). I''m wondering if the behavior I''m seeing > is standard for puppetmaster, or if it''s specific to the Debian > package (so I know who to complain to). > > The problem is that puppetmaster uses a cert based on the machine''s > hostname. I would like the cert to contain the machine''s FQDN instead, > since this is how the clients will connect and the names need to match > for SSL negotiation to succeed. > > I thought I had gotten around this by temporarily setting the > machine''s hostname to its FQDN and starting puppetmaster, then > changing the hostname back, but it seems that puppetmaster re- > evaluates the name every time it starts and generates/uses a new cert > based on hostname if it doesn''t already have one, so it''s still using > just the hostname in the cert. > > The clients could just use the hostname in theory, but the cert > created based on hostname ends up containing "foo." instead of "foo", > and there''s no way that will ever resolve on the client. > > Also, I''ve tried setting this in puppet.conf: > > [puppetmasterd] > certname=foo.domain.tld > > But it doesn''t seem to do anything. So, how can I get puppetmaster to > use the FQDN instead of the hostname? Thanks.your version is heavily out of date. I would use apt-pinning to get the version from sid (which is the last stable release of reductivelabs), or use backports to get the latest one. There have been a lot of changes since this version and the configuration reference on the page is only referring to the last version. So it could easily be that this option have been introduced later or had problems in this version. 0.24.5 has really many cool new features, you otherwise would certainly miss! greets pete --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Luke Kanies
2008-Oct-13 15:06 UTC
[Puppet Users] Re: puppetmaster hostname sniffing on startup
On Oct 10, 2008, at 9:10 AM, Rob McBroom wrote:> Hello. I''m using the standard puppetmaster package under Debian etch > (which seems to be 0.20.1). I''m wondering if the behavior I''m seeing > is standard for puppetmaster, or if it''s specific to the Debian > package (so I know who to complain to). > > The problem is that puppetmaster uses a cert based on the machine''s > hostname. I would like the cert to contain the machine''s FQDN instead, > since this is how the clients will connect and the names need to match > for SSL negotiation to succeed.More recent versions have a --certname switch you can use to specify the name you want used. -- Life is like playing a violin in public and learning the instrument as one goes on. -- Samuel Butler --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---