Alex Peters
2010-Jan-16 02:11 UTC
[Puppet Users] puppetmaster on LAN, remote puppet client?
Hi, Having followed a tutorial[1], I have puppetmaster successfully set up on my LAN and my two local machines pulling /etc/hosts from it. I would like to use Puppet to manage a machine sitting on another LAN, accessed across the internet. I am struggling to get this to work, seemingly because of the discrepancies between FQDNs. puppetmaster is running on "europa.kp113.lan" within my local network, and is accessible externally via XYZ.ath.cx:8140. The remote Puppet client is running on "ganymede.lp12.lan" within the remote LAN, and is configured to find the server at XYZ.ath.cx. I have signed the certificate for "ganymede.lp12.lan" on the master. Subsequent Puppet runs on the remote client give me this: # puppetd --test --debug --server XYZ.ath.cx ... debug: Calling puppetca.getcert warning: peer certificate won''t be verified in this SSL session notice: Got signed certificate ... info: Retrieving plugins debug: Calling fileserver.list warning: Certificate validation failed; consider using the certname configuration option err: /File[/var/lib/puppet/lib]: Failed to generate additional resources during transaction: Certificates were not trusted: hostname was not match with the server certificate I have tried fiddling with the "certname" configuration option at both ends, but I can''t seem to get both local clients and the remote client working at the same time by doing so. I have Googled, looked at the Reductive Labs Puppet FAQ[2], searched this group and consulted the "External Nodes" wiki page[3] for pointers to no avail. All three machines concerned are running Ubuntu 9.10. Any assistance in completing the setup described above would be greatly appreciated. Cheers, Alex [1] http://www.devco.net/pubwiki/Puppet/GettingStarted [2] http://reductivelabs.com/trac/puppet/wiki/FrequentlyAskedQuestions [3] http://www.reductivelabs.com/trac/puppet/wiki/ExternalNodes -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan Bode
2010-Jan-16 04:28 UTC
Re: [Puppet Users] puppetmaster on LAN, remote puppet client?
Hi, On Fri, Jan 15, 2010 at 6:11 PM, Alex Peters <alex.peters@gmail.com> wrote:> Hi, > > Having followed a tutorial[1], I have puppetmaster successfully set up > on my LAN and my two local machines pulling /etc/hosts from it. > > I would like to use Puppet to manage a machine sitting on another LAN, > accessed across the internet. I am struggling to get this to work, > seemingly because of the discrepancies between FQDNs. > > puppetmaster is running on "europa.kp113.lan" within my local network, > and is accessible externally via XYZ.ath.cx:8140. The remote Puppet > client is running on "ganymede.lp12.lan" within the remote LAN, and is > configured to find the server at XYZ.ath.cx. I have signed the > certificate for "ganymede.lp12.lan" on the master. >there is an option that you can use to specify that a server should accept incoming request from multiple dns names try: [puppetmasterd] dnscertnames=europa.kp113.lan,XYZ.ath.cx <http://xyz.ath.cx:8140/>> > Subsequent Puppet runs on the remote client give me this: > > # puppetd --test --debug --server XYZ.ath.cx > ... > debug: Calling puppetca.getcert > warning: peer certificate won''t be verified in this SSL session > notice: Got signed certificate > ... > info: Retrieving plugins > debug: Calling fileserver.list > warning: Certificate validation failed; consider using the certname > configuration option > err: /File[/var/lib/puppet/lib]: Failed to generate additional > resources during transaction: Certificates were not trusted: hostname > was not match with the server certificate > > I have tried fiddling with the "certname" configuration option at both > ends, but I can''t seem to get both local clients and the remote client > working at the same time by doing so. > > I have Googled, looked at the Reductive Labs Puppet FAQ[2], searched > this group and consulted the "External Nodes" wiki page[3] for > pointers to no avail. > > All three machines concerned are running Ubuntu 9.10. > > Any assistance in completing the setup described above would be > greatly appreciated. > > Cheers, > Alex > > [1] http://www.devco.net/pubwiki/Puppet/GettingStarted > [2] http://reductivelabs.com/trac/puppet/wiki/FrequentlyAskedQuestions > [3] http://www.reductivelabs.com/trac/puppet/wiki/ExternalNodes > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Alex Peters
2010-Jan-16 06:52 UTC
[Puppet Users] Re: puppetmaster on LAN, remote puppet client?
On Jan 16, 3:28 pm, Dan Bode <d...@reductivelabs.com> wrote:> there is an option that you can use to specify that a server should accept > incoming request from multiple dns namesThanks for your response, Dan. The configuration item you mentioned seems to be part of what I need. This and further Googling got me to this configuration: [puppetmasterd] certname=XYZ.ath.cx certdnsnames=puppet:puppet.kp113.lan:europa:europa.kp113.lan:XYZ.ath.cx I''m not sure how much of that is necessary; I seemed to get certificate errors at the remote client end until I added the "certname" line, and when I had the "certdnsnames" line at just "puppet:XYZ.ath.cx" the client on this LAN wasn''t happy (even though Puppet''s docs say certdnsnames=puppet if not otherwise specified). If this is too verbose, please let me know. I get occasional warnings on the master side like this: "Could not find facts for XYZ; you probably have a discrepancy between the node and fact names" It might be related, but it''s also sporadic so who knows... :) Cheers, Alex -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan Bode
2010-Jan-16 15:45 UTC
Re: [Puppet Users] Re: puppetmaster on LAN, remote puppet client?
Hi, On Fri, Jan 15, 2010 at 10:52 PM, Alex Peters <alex.peters@gmail.com> wrote:> On Jan 16, 3:28 pm, Dan Bode <d...@reductivelabs.com> wrote: > > there is an option that you can use to specify that a server should > accept > > incoming request from multiple dns names > > Thanks for your response, Dan. The configuration item you mentioned > seems to be part of what I need. This and further Googling got me to > this configuration: > > [puppetmasterd] > certname=XYZ.ath.cx >this sets the actual name of the cert for the server, the certs would need to be wiped out for this to have any effect (by default this is set to `hostname`) you can see cert creation when running the puppetmasterd at --verbose> certdnsnames=puppet:puppet.kp113.lan:europa:europa.kp113.lan:XYZ.ath.cx > > this set the allows names for connection.> I''m not sure how much of that is necessary; I seemed to get > certificate errors at the remote client end until I added the > "certname" line, and when I had the "certdnsnames" line at just > "puppet:XYZ.ath.cx" the client on this LAN wasn''t happy (even though > Puppet''s docs say certdnsnames=puppet if not otherwise specified). If > this is too verbose, please let me know. >you can always use --configprint to check the current option settings of any executable. To test the default for dnscertname, you could uncomment the option from the puppet.conf and run: puppetmasterd --configprint certdnsnames just a helpful tip because there are almost 1000 config parmas with 1000 default settings :)> > I get occasional warnings on the master side like this: > > "Could not find facts for XYZ; you probably have a discrepancy between > the node and fact names" > > It looks like this would be triggered when the server host checks in as aclient (with puppetd). run puppetd --test on the client and verify that the output is triggered from this.> It might be related, but it''s also sporadic so who knows... :) > > Cheers, > Alex > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > > hope that help,Dan worker bee ReductiveLabs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.