Puppet users - Apr 2010 - Hostname was not a match with the server certificate -- Arrgh!

On the client

Client #]  puppetd --test --trace

http://pastebin.com/eft1Qmuv 

Full output of the command is above, last three lines,

# err: Could not retrieve catalog from remote server: hostname was not match
with the server certificate
# warning: Not using cache on failed catalog
# err: Could not retrieve catalog; skipping run

I have attempted to track down where this problem is coming from. DNS is setup
correctly. No host names have been changed, so I am at a lost as to how such a
mistake could be made. But then, I am just believing the text of the error
message.

Puppet.domain.com puppetmaster.domain.com both point to the correct machine. The
client can connect to the server with no problem, and also vice versa. The
firewall is relaxed sufficiently on both client and server for puppet to
communicate. Both systems are on the same network switch, all other networking
services work pretty much perfectly.

Any assistance will be highly appreciated, I have numerous crates of virtual
beer I will gladly send your way, and for the none drinkers, I have a delightful
selection of virtual foods from around the world which I can send your way ☺

**** Next paragraph is the long dormant student in me happy at the chance to
learn something so powerful, which great power comes great responsibility,
(yeah, right, whatever,  I just want to be able to bring up a MySQL cluster in 5
minutes, and watch my dev teams face! ****

I am prepared to LEARN puppet! Please teach me! I have even gone to you-tube to
attempt to locate some video tutorials, but alas, no luck. (I was distracted by
45 minutes of people scaring the life out of other folks), This list, and IRC
are my only hope to become a puppet master – I’ve even got that book pulling
strings with puppet. I did notice a lot of advice in that book that isn’t really
reflected in a number of examples on the net, (unless I’m too slow to recognize
the patterns). Anyway, I will stop rambling now – I think puppet is the future,
and I am desperate to learn and understand, so feel free to refer me to
websites, blogs, forums, amazon, (book purchases!), and google, (in case I
missed an obvious search!)

Now, back to my original issue! Oh, I am on IRC, irc.freenode.org lurkin in the
#puppet room ☺

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> Puppet.domain.com puppetmaster.domain.com both point to the correct  
> machine. The client can connect to the server with no problem, and  
> also vice versa. The firewall is relaxed sufficiently on both client  
> and server for puppet to communicate. Both systems are on the same  
> network switch, all other networking services work pretty much  
> perfectly.
do they have both the time synced correctly? This problem is also  
often burried in this error message

cheers pete

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

-----Original Message-----
From: puppet-users@googlegroups.com
[mailto:puppet-users@googlegroups.com] On Behalf Of Peter Meier
Sent: Thursday, April 29, 2010 2:16 PM
To: puppet-users@googlegroups.com
Subject: Re: [Puppet Users] Hostname was not a match with the server
certificate -- Arrgh!
> Puppet.domain.com puppetmaster.domain.com both point to the correct  
> machine. The client can connect to the server with no problem, and  
> also vice versa. The firewall is relaxed sufficiently on both client  
> and server for puppet to communicate. Both systems are on the same  
> network switch, all other networking services work pretty much  
> perfectly.
do they have both the time synced correctly? This problem is also  
often burried in this error message

cheers pete

-- 


There is NO way it is that simple!? I did notice that the time had
drifted on the VM machine, (known issue for VM''s), and I have put in
place my own script to fix that. The time is now in sync, but I believe
that it was not at the time of the initial configuration. Does this mean
that I have to rebuild, or can I recover from this?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, 2010-04-29 at 12:27 +0100, Gabriel - IP Guys
wrote:
> On the client
> 
> Client #]  puppetd --test --trace
> 
> http://pastebin.com/eft1Qmuv 
> 
> Full output of the command is above, last three lines,
> 
> # err: Could not retrieve catalog from remote server: hostname was not
> match with the server certificate
> # warning: Not using cache on failed catalog
> # err: Could not retrieve catalog; skipping run
> 
> [snip]
When the client connects to the master, it checks the server certificate
in 3 ways:
 * it should have been signed by the same CA
 * it should be valid (ie not expired)
 * the advertised server certificate CN should match the hostname used
to connect to the server (or any other subjectAltName).

When you launch puppetd, it connects to puppet.<search>, which usually
resolved to puppet.domain.com. If your server certificate doesn''t
contain a CN and/or subjectAltName of puppet.domain.com, then this error
is thrown.

The mismatch can happen when your puppet master is in a different domain
than the client. When the master generates its server certificate it
uses:
 * it''s fqdn as CN
 * puppet.$domain in subjectAltName, where $domain is what the current
machine has

if $domain on the master is different on the master and the client, the
mismatch will happen. This is always true if your master is multi-homed
and can be accessed from several networks using different domains.

In this case you need to generate the server certificate with the puppet
master name in every domains with --certdnsname.
> Now, back to my original issue! Oh, I am on IRC, irc.freenode.org
> lurkin in the #puppet room ☺
What''s your nickname?
-- 
Brice Figureau
Follow the latest Puppet Community evolutions on www.planetpuppet.org!

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

What version are you using?

I just had the same issue with a 0.23 version and when I upgraded to
0.25 it went away


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.