Hi, I''m rolling out a new Puppet install and am having some problems with certs. I''ve googled and read the docs but can''t find anything. Almost all boxes on the network are dual-homed, with a primary network (VLAN, /27 subnet) for public data and an admin/management network for backups and other backend stuff. All hosts have a primary interface on the main network (and their "real" hostname resolves to that IP) and a second interface on the admin network, with the DNS name for that IP like "hostname"-mgmt. I have puppet setup on a few clients and one puppetmaster (named puppet, with a name of puppet-mgmt on the second network). All of the clients (I''ve setup 4 so far) pull their configs from the master fine, either running `puppetd --no-daemonize --verbose --listen --server=puppet-mgmt.mydomain.com` or through the init script. Each host has certname= specified in their puppet.conf [puppetd] section as the FQDN, and also has certdnsnames= hostname-mgmt.mydomain.com defined there. However, when I try (from the puppetmaster) to puppetrun --host=hostname.mydomain.com, I get a HTTP-Error 500 from puppetrun and in the client logs, I see: notice: Denying unauthenticated client puppet.mydomain.com(192.168.0.10) access to puppetrunner.run The one thing that I''ve noticed is that in /var/lib/puppet/ssl on the clients, there''s no server cert, and the CA cert only has the main network FQDN, not the "-mgmt" name. Any ideas? Where should I be looking? And is there any way to get *seriously* verbose debugging information? I even tried running puppetd with "--trace", but I never get anything more than "notice: Denying unauthenticated client" Thanks, Jason Antman --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Scott Smith
2009-Jun-24 21:05 UTC
[Puppet Users] Re: puppetrun and certs - CA certdnsnames?
Jason Antman wrote:> Any ideas? Where should I be looking? And is there any way to get > *seriously* verbose debugging information? I even tried running puppetdlocaltime differences? -scott --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---