Folks, could you please tell me how to setup a puppetmaster which is behind the NAT? I have the following setup: * puppetmaster is running in a private network * router of this private network is visible from the WAN(via FQDN) and it port-forwards 8140 to the machine running puppetmaster * puppetmaster should manage both hosts in the private network and ones in the WAN * maching running puppetmaster has a DNS name in the private network(something like puppetmaster.local) which is not FQDN of the router I managed to setup private network hosts to be managed by the puppetmaster and I even managed to sign the WAN hosts. But I can''t make WAN hosts retrieve the puppetmaster catalog due to certificates issues. I have the following error: Jun 30 16:20:02 puppetd[22640]: Could not retrieve catalog: Certificates were not trusted: hostname was not match with the server certificate I guess it happens because puppetd clients are expecting the puppetmaster to have FQDN name of the router which is not the case... Is there a workaround for this? Thanks in advance. -- Best regards, Pavel --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Hi> Jun 30 16:20:02 puppetd[22640]: Could not retrieve catalog: > Certificates were not trusted: hostname was not match with the server > certificate > > I guess it happens because puppetd clients are expecting the > puppetmaster to have FQDN name of the router which is not the case... > Is there a workaround for this?I assume that you use a different FQDN internal and external, right? So then: the puppet masters cert and CA needs to contain the public FQDN as well. use certnames (see ConfigurationReference [1]) to include both domains, local and public. This will mean that you need to regenerate the certs, as well to resign all clients. cheers pete [1] http://reductivelabs.com/trac/puppet/wiki/ConfigurationReference --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
> I assume that you use a different FQDN internal and external, right?Exactly> So then: > > the puppet masters cert and CA needs to contain the public FQDN as well. > use certnames (see ConfigurationReference [1]) to include both domains, > local and public. This will mean that you need to regenerate the certs, > as well to resign all clients.Thanks a lot, I''ll give it a try right now and report back. -- Best regards, Pavel --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
> the puppet masters cert and CA needs to contain the public FQDN as well. > use certnames (see ConfigurationReference [1]) to include both domains, > local and public. This will mean that you need to regenerate the certs, > as well to resign all clients.Thanks again, it worked just fine. BTW, there is a typo, the required configuration option is called ''certdnsnames''. Here is what I did: 1) added ''certdnsnames'' to the [puppetmasterd] section of the puppet.conf, something like this: certdnsnames = host1:host2 2) stopped master and clients on all hosts 3) moved $ssldir to $ssldir.bak on all hosts(in case it was /var/lib/puppet/ssl) 4) restarted master and clients on all hosts 5) using puppetca signed all clients again -- Best regards, Pavel --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Hi>> the puppet masters cert and CA needs to contain the public FQDN as well. >> use certnames (see ConfigurationReference [1]) to include both domains, >> local and public. This will mean that you need to regenerate the certs, >> as well to resign all clients. > > > Thanks again, it worked just fine. BTW, there is a typo, the required > configuration option is called ''certdnsnames''. Here is what I did:great! :) Yeah, actually I didn''t look in the reference and just guessed the name from my memory. Sometimes a few bytes get lost in my brain... ;) cheers pete --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---