Puppet users - Feb 2011 - "hostname not match with the server certificate" error

Hi all

I''m trying to set up a separate puppet master and client on EC2.
I''ve
used two instances of CentOS5.4 with nothing other than the base
install and have installed puppet via the ruby gems. Puppet is at
2.6.4 on both machines.

I''ve been following the guide to get a basic configuration working
(http://docs.puppetlabs.com/guides/configuring.html) with a little
tweak because I''m on EC2, but I''m not able to authenticate my
agent
with the master.

Here''s the steps I''m taking, and the output:

[agent]# echo "foobar" > /etc/puppet/certname
[agent]# puppet agent --certname=$(cat /etc/puppet/certname) --server
puppet.mydomain.org --waitforcert 30 --test
info: Creating a new SSL key for webserver
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
info: Creating a new SSL certificate request for webserver
info: Certificate Request fingerprint (md5):
SO:ME:RA:ND:OM:NU:MB:ER:SS
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session

Then on the master:

[master]# puppet cert --list
foobar
[master]# puppet cert --sign foobar
notice: Signed certificate request for foobar
notice: Removing file Puppet::SSL::CertificateRequest foobar at ''/etc/
puppet/ssl/ca/requests/foobar.pem''

Then back on the client:

info: Caching certificate for foobar
err: Could not retrieve catalog from remote server: hostname not match
with the server certificate
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

I''m not entirely sure what I''m not doing right. The docs
don''t provide
much help for this error, nor does the troubleshooting section. I''m
rather stuck!

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Are you specifying certname on puppet master as well as client? That is 
working for me as long as I set --server=<master_certname> and 
--certname=<client_certname> on the client and
--certname=<master_certname>
on the master. You may need to clean out <confdir>/ssl on your AMIs and 
start over to get this to work.

Specifying certname enables using puppet in EC2 with dynamic DNS. Then 
master and clients can be stopped and started and still authenticate without 
updating certs, even though public DNS name and IP address usually change 
between AMI start & stop.


It would be nice to expose the node name in puppet master notice statements 
for debugging, but I haven''t found a way to do that. This is not the
same as
hostname, nor is it what you get from internal reverse DNS in EC2, nor is it 
the same as name, which seems to be derived from whatever regex matched the 
node declaration.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Sat, Feb 26, 2011 at 4:05 PM, Hal Snyder <Hal.Snyder@orbitz.com>
wrote:
> Are you specifying certname on puppet master as well as client? That is
> working for me as long as I set --server=<master_certname> and
> --certname=<client_certname> on the client and
--certname=<master_certname>
> on the master. You may need to clean out <confdir>/ssl on your AMIs
and
> start over to get this to work.
>
> Specifying certname enables using puppet in EC2 with dynamic DNS. Then
> master and clients can be stopped and started and still authenticate
without
> updating certs, even though public DNS name and IP address usually change
> between AMI start & stop.
I''d also add that if you''re managing machines with changing
hostnames,
you shouldn''t have hostname-style certnames. I know you didn''t
say
that, but I''ve seen people make this mistake before, and it gets
really confusing when the certificate name looks like a hostname, but
isn''t one.

I''m a big fan of UUIDs for certnames in dynamic environments.

> It would be nice to expose the node name in puppet master notice statements
> for debugging, but I haven''t found a way to do that. This is not
the same as
> hostname, nor is it what you get from internal reverse DNS in EC2, nor is
it
> the same as name, which seems to be derived from whatever regex matched the
> node declaration.
It gets exposed as a tag. We have some issues around the tagging of
some regular expressions, and I''d love more feedback from those of you
using regex nodes about this:

http://projects.puppetlabs.com/issues/5898

If you''d like the node name to be exposed more directly, please put a
feature request in, as that sounds quite useful.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.