Hi All Apologies if this is obvious, but I''m a bit flaky around SSL certificates. NB puppet version 0.25.5 We use the brilliant feature of certificates where you can have Alternate DNS names for a certificate which is manifested in the puppet master config file as certdnsnames. All our clients connect to puppet-$ location.example.com, and if $location is down, we can point the CNAME to another puppet server which has the original puppet-$location in the puppet servers certificate. All puppet servers get the same certificate When we bring on a new DC, we just update the puppet hostcert certificates and send out via puppet. Worked nicely in test, but the first time I do it in real life, it doesn''t quite work that way. Lets see how this works 1. Set all host certs to be the same file in puppet master config hostcert = /local/puppet/etc/ssl/certs/puppet.example.com.pem 2. Generate a new cert /opt/local/sbin/puppetca --config /local/puppet/etc/puppetca.conf --generate --certdnsnames puppet.bfm.com:puppet-ca.bfm.com:puppet-ca2.bfm.com: puppet-lab.bfm.com:puppet-svn.bfm.com:puppet-del.bfm.com:puppet-ndh.bfm.com: puppet-prn.bfm.com:puppet-nyc.bfm.com:puppet-smw.bfm.com:puppet-tkm.bfm.com: puppet-ewd.bfm.com:puppet-lva.bfm.com:puppet-rmc.bfm.com:puppet-rdc.bfm.com: puppet-sfo.bfm.com puppet.bfm.com 3. Confirm we have all our DNS names in the alternate DNS names: openssl x509 -text -noout -in /local/puppet/etc/ssl/certs/puppet.example.com.pem | grep DNS DNS:puppet.example.com, DNS:puppet-ca.example.com, DNS: puppet-ca2.example.com, DNS:puppet-lab.example.com, DNS: puppet-svn.example.com, DNS:puppet-del.example.com, DNS: puppet-ndh.example.com, DNS:puppet-prn.example.com, DNS: puppet-nyc.example.com, DNS:puppet-smw.example.com, DNS: puppet-tkm.example.com, DNS:puppet-ewd.example.com, DNS: puppet-lva.example.com, DNS:puppet-rmc.example.com, DNS: puppet-rdc.example.com, DNS:puppet-sfo.example.com, DNS:puppet.example.com 4. Make sure puppet daemon (running via passenger) also has the correct alternate names: echo "" | openssl s_client -connect engncfm001:8140 | sed -ne ''/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'' | openssl x509 -noout -text | grep DNS: DNS:puppet.example.com, DNS:puppet-ca.example.com, DNS: puppet-ca2.example.com, DNS:puppet-lab.example.com, DNS: puppet-svn.example.com, DNS:puppet-del.example.com, DNS: puppet-ndh.example.com, DNS:puppet-prn.example.com, DNS: puppet-nyc.example.com, DNS:puppet-smw.example.com, DNS: puppet-tkm.example.com, DNS:puppet-ewd.example.com, DNS: puppet-lva.example.com, DNS:puppet-rmc.example.com, DNS: puppet-rdc.example.com, DNS:puppet-sfo.example.com, DNS:puppet.example.com 5. Hurrah. Now the interesting thing is that a new data centre we are bringing online had its location mae changed from ewe to ewd. No matter - as you can see above I have updated the cert. 6. However, when we build a new server, and we check the cert on the puppet server from the client for DNS alternative names openssl x509 -text -noout -in /local/puppet/etc/ssl/ca/signed/engnjmp002.example.com.pem | grep DNS DNS:puppet.example.com, DNS:puppet-ca.example.com, DNS: puppet-ca2.example.com, DNS:puppet-lab.example.com, DNS: puppet-del.example.com, DNS:puppet-ndh.example.com, DNS: puppet-prn.example.com, DNS:puppet-nyc.example.com, DNS: puppet-smw.example.com, DNS:puppet-tkm.example.com, DNS: puppet-wew.example.com, DNS:puppet-lva.example.com, DNS: puppet-rmc.example.com, DNS:puppet-rdc.example.com, DNS: puppet-sfo.example.com, DNS:engnjmp002.example.com That''s not right - puppet-wew not puppet-ewd, and puppet-svn is missing. How can this be as I checked openssl talking to puppet? It seems that the client''s certificate is being signed with a CNAME list from the "certdnsnames" entry in the puppetmaster config file. I can mess around with that and confirm it is that entry which modifies the clients Alternate Names entry. I **assumed** the client certificate would be signed against the server''s certificate file. So, now, I update certdnsnames with exactly what is in the hostcert and things are OK, and I just need to update my documentation to include that step, but I found it odd. Should I find that odd, or am I missing something? Thanks John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.