Puppet users - Nov 2009 - Multihomed puppet-server Multidomain SSL Problem

Hello List,

I have a problem with the CA on my Puppetmaster. This Puppetmaster is 
connected to different Networks with different sub domainnames. The Puppet 
clients connecting via different Interfaces. There is no routing between 
subnets. Only one subnet can connect successfully. This is because the 
subject in the Certificate is the name of this subnet. All other clients get:

Could not retrieve catalog: Certificates were not trusted: hostname not match 
with the server certificate

If I use just the hostname, no client can connect successfully. It seems to 
be, that there is allways the need for a single fqdn.

The puttemaster is served via Passenger and Apache2.

Is there a way to use the nice to use puppetca tool in this szenario or do I 
have to provide as much CAs as I have subnets and do cert signing by hand? Or 
is there another solution?

Any hints will be very welcome.

Cheers,

Hubert
-- 
Hubert Krause
Risk & Fraud Division
INFORM GmbH, Pascalstraße 23, 52076 Aachen, Germany
Phone: +49 24 08 - 94 56 188
E-Mail: hubert.krause@inform-ac.com, Web: http://www.inform-ac.com
INFORM Institut fuer Operations Research und Management GmbH
Registered AmtsG Aachen HRB1144 Gfhr. Adrian Weiler

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I would love to see an answer to this as well. I have basically ended  
up just adding an entry to /etc/hosts to make it possible to connect  
to the secondary interface.

-- cwebber

On Nov 13, 2009, at 6:40 AM, Hubert Krause wrote:
>
> Hello List,
>
> I have a problem with the CA on my Puppetmaster. This Puppetmaster is
> connected to different Networks with different sub domainnames. The  
> Puppet
> clients connecting via different Interfaces. There is no routing  
> between
> subnets. Only one subnet can connect successfully. This is because the
> subject in the Certificate is the name of this subnet. All other  
> clients get:
>
> Could not retrieve catalog: Certificates were not trusted: hostname  
> not match
> with the server certificate
>
> If I use just the hostname, no client can connect successfully. It  
> seems to
> be, that there is allways the need for a single fqdn.
>
> The puttemaster is served via Passenger and Apache2.
>
> Is there a way to use the nice to use puppetca tool in this szenario  
> or do I
> have to provide as much CAs as I have subnets and do cert signing by  
> hand? Or
> is there another solution?
>
> Any hints will be very welcome.
>
> Cheers,
>
> Hubert
> -- 
> Hubert Krause
> Risk & Fraud Division
> INFORM GmbH, Pascalstraße 23, 52076 Aachen, Germany
> Phone: +49 24 08 - 94 56 188
> E-Mail: hubert.krause@inform-ac.com, Web: http://www.inform-ac.com
> INFORM Institut fuer Operations Research und Management GmbH
> Registered AmtsG Aachen HRB1144 Gfhr. Adrian Weiler
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, Nov 13, 2009 at 6:40 AM, Hubert Krause
<hubert.krause@inform-ac.com> wrote:
>
> Hello List,
>
> I have a problem with the CA on my Puppetmaster. This Puppetmaster is
> connected to different Networks with different sub domainnames. The Puppet
> clients connecting via different Interfaces. There is no routing between
> subnets. Only one subnet can connect successfully. This is because the
> subject in the Certificate is the name of this subnet. All other clients
get:
>
> Could not retrieve catalog: Certificates were not trusted: hostname not
match
> with the server certificate
>
> If I use just the hostname, no client can connect successfully. It seems to
> be, that there is allways the need for a single fqdn.
>
> The puttemaster is served via Passenger and Apache2.
>
> Is there a way to use the nice to use puppetca tool in this szenario or do
I
> have to provide as much CAs as I have subnets and do cert signing by hand?
Or
> is there another solution?
You are looking for the puppetmasterd config option certdnsnames. You
will have to re-generate your certificates to get this working:

1) Stop puppetmasterd
2) rm -rf /var/lib/puppet/ssl
3) In your puppet.conf file, under the [puppetmasterd] section, add
certdnsnames = "colon:separated:list:of:dns:names"
4) Start puppetmasterd

Then you''ll have to clear the ssl dirs on all the clients as well.

--Paul

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---