Hello All, Question: Does anyone uses puppet with "shortnames" for hostname on the client nodes as opposed to fqdn? I noticed that the ssl cert needs to be a fqdn in order to work. Would having shortname for hostname, and using fqdn just as an alias in DNS, work? If anyone uses a setup like this, please let me know, and share your config. :) For now, this is what I''ve come up with: I use fqdn for hostname just to sign the cert, then I revert back to the shortname version. So far, it''s ok, but it''s a bit cumbersome and I''d to see how other ppl deal with this. Cheers, -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, Nov 2, 2010 at 7:32 AM, CraftyTech <hmmedina@gmail.com> wrote:> Hello All, > > Question: Does anyone uses puppet with "shortnames" for hostname > on the client nodes as opposed to fqdn? I noticed that the ssl cert > needs to be a fqdn in order to work. Would having shortname for > hostname, and using fqdn just as an alias in DNS, work? If anyone > uses a setup like this, please let me know, and share your config. :) > > For now, this is what I''ve come up with: I use fqdn for hostname > just to sign the cert, then I revert back to the shortname version. > So far, it''s ok, but it''s a bit cumbersome and I''d to see how other > ppl deal with this.You know you can set the ''certname'' parameter independently of the hostname? and then you won''t need to jump through these hoops.> > Cheers, > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- Nigel Kersten - Puppet Labs - http://www.puppetlabs.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thanks Nigel. That worked out pretty good. Cheers, On Nov 2, 10:43 am, Nigel Kersten <ni...@puppetlabs.com> wrote:> On Tue, Nov 2, 2010 at 7:32 AM, CraftyTech <hmmed...@gmail.com> wrote: > > Hello All, > > > Question: Does anyone uses puppet with "shortnames" for hostname > > on the client nodes as opposed to fqdn? I noticed that the ssl cert > > needs to be a fqdn in order to work. Would having shortname for > > hostname, and using fqdn just as an alias in DNS, work? If anyone > > uses a setup like this, please let me know, and share your config. :) > > > For now, this is what I''ve come up with: I use fqdn for hostname > > just to sign the cert, then I revert back to the shortname version. > > So far, it''s ok, but it''s a bit cumbersome and I''d to see how other > > ppl deal with this. > > You know you can set the ''certname'' parameter independently of the > hostname? and then you won''t need to jump through these hoops. > > > > > Cheers, > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en. > > -- > Nigel Kersten - Puppet Labs - http://www.puppetlabs.com-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Nov 2, 2010, at 10:32 AM, CraftyTech wrote:> Question: Does anyone uses puppet with "shortnames" for hostname > on the client nodes as opposed to fqdn? I noticed that the ssl cert > needs to be a fqdn in order to work. Would having shortname for > hostname, and using fqdn just as an alias in DNS, work?All of our (RHEL5) systems have their hostname set to their hostname (crazy!), but the Puppet client always generates certs based on the FQDN anyway. I''m not sure how honestly, but I haven''t done anything special. The client is an RPM straight from EPEL. -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Nov 3, 2010 at 6:35 AM, Rob McBroom <mailinglist0@skurfer.com> wrote:> On Nov 2, 2010, at 10:32 AM, CraftyTech wrote: > >> Question: Does anyone uses puppet with "shortnames" for hostname >> on the client nodes as opposed to fqdn? I noticed that the ssl cert >> needs to be a fqdn in order to work. Would having shortname for >> hostname, and using fqdn just as an alias in DNS, work? > > All of our (RHEL5) systems have their hostname set to their hostname (crazy!), but the Puppet client always generates certs based on the FQDN anyway. I''m not sure how honestly, but I haven''t done anything special. The client is an RPM straight from EPEL.Unless configured to use something else, puppet uses the fqdn fact when creating certificates, not the hostname fact. If you really want to make this work, check out the --certdnsnames option to puppetca, which allows you to add X.509 alternate names to a certificate. Each alternate name could then be a name alias or CNAME record. You may want to do a bit of reading on SSL certificate verification checks. Puppet follows this established process for verifying if a SSL certificate is valid or not. Hope this helps, -- Jeff McCune http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.