Well, this is frustrating. Let''s say I have two puppet masters, where one is active, and the other is a hot stand by. Obviously each is going to have a different FQDN. Everything will work fine when the client talks to the server that signed it''s certificate. However, after a failover to the secondary master, it''s all going to fail because the FQDN of the master will not match. I''ve been searching around, reading the mailing list, and am surprised to find very little information on this. The new "Pro Puppet" book skims over this detail. You''d think they''d have some proof it before selling it. Anyway, someone suggested just using a DNS alias, but that doesn''t seem to work. If my master is called hpma01p1, and the ssl certs are created in the default manner, when I create a DNS alias, and my client talks to hpma01p1 by using ''puppet'', it still fails: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key I know that there''s a ''certname'' option but it looks like it''s only valid in the [agent], not the master section. How do I do this? Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Sat, Jul 30, 2011 at 8:03 PM, Douglas Garstang <doug.garstang@gmail.com>wrote:> Well, this is frustrating. > > Let''s say I have two puppet masters, where one is active, and the other is > a hot stand by. Obviously each is going to have a different FQDN. Everything > will work fine when the client talks to the server that signed it''s > certificate. However, after a failover to the secondary master, it''s all > going to fail because the FQDN of the master will not match. > > I''ve been searching around, reading the mailing list, and am surprised to > find very little information on this. The new "Pro Puppet" book skims over > this detail. You''d think they''d have some proof it before selling it. > > Anyway, someone suggested just using a DNS alias, but that doesn''t seem to > work. If my master is called hpma01p1, and the ssl certs are created in the > default manner, when I create a DNS alias, and my client talks to hpma01p1 > by using ''puppet'', it still fails: > > Could not request certificate: Retrieved certificate does not match private > key; please remove certificate from server and regenerate it with the > current key > > I know that there''s a ''certname'' option but it looks like it''s only valid > in the [agent], not the master section. How do I do this? > > Doug. > > >Actually, correction.... I''m getting this on the client: debug: Using cached certificate for ca /usr/lib/ruby/1.8/openssl/ssl.rb:91:in `post_connection_check'': hostname not match with the server certificate (OpenSSL::SSL::SSLError) from /usr/lib/ruby/1.8/net/http.rb:588:in `connect'' from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start'' from /usr/lib/ruby/1.8/net/http.rb:542:in `start'' from /usr/lib/ruby/1.8/net/http.rb:1035:in `request'' This post last message in this thread http://groups.google.com/group/puppet-users/browse_thread/thread/175183b711074480, says: "We have a single key/cert for the master named "puppet.arces.net" (or puppet-qa.arces.net for the QA one). I don''t designate a cert name anywhere - I just have a cert generated for the puppetmasters that matches the hostname that the clients use to connect to the load balancer, not a cert name for the hosts themselves. " Seems to work for him for some reason! Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Douglas Garstang wrote:> Well, this is frustrating. > > Let''s say I have two puppet masters, where one is active, and the other > is a hot stand by. Obviously each is going to have a different FQDN. > Everything will work fine when the client talks to the server that > signed it''s certificate. However, after a failover to the secondary > master, it''s all going to fail because the FQDN of the master will not > match. > > I''ve been searching around, reading the mailing list, and am surprised > to find very little information on this. The new "Pro Puppet" book skims > over this detail. You''d think they''d have some proof it before selling it. >Douglas Did you read the chapter carefully? The Front End Load Balancer Configuration section explains this pretty clearly. Regards James Turnbull -- James Turnbull Puppet Labs 1-503-734-8571 Join us for PuppetConf <http://www.bit.ly/puppetconfsig>, September 22nd and 23rd in Portland, Oregon, USA. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> I know that there''s a ''certname'' option but it looks like it''s only valid in > the [agent], not the master section. How do I do this?It works in the master section as well. ~pete -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk41QYwACgkQbwltcAfKi38SWACdGScL/R3xv/dh3dNDL6Ko1inW dd0An28vtvwmfUQ/qCGmxSeb7GCpRcG3 =B753 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Sat, Jul 30, 2011 at 10:38 PM, James Turnbull <james@puppetlabs.com>wrote:> Douglas Garstang wrote: > > Well, this is frustrating. > > > > Let''s say I have two puppet masters, where one is active, and the other > > is a hot stand by. Obviously each is going to have a different FQDN. > > Everything will work fine when the client talks to the server that > > signed it''s certificate. However, after a failover to the secondary > > master, it''s all going to fail because the FQDN of the master will not > > match. > > > > I''ve been searching around, reading the mailing list, and am surprised > > to find very little information on this. The new "Pro Puppet" book skims > > over this detail. You''d think they''d have some proof it before selling > it. > > > > Douglas > > Did you read the chapter carefully? The Front End Load Balancer > Configuration section explains this pretty clearly. > >Several times. Starts on page 99. Can''t find any reference to it. Also, I''d like to point out, that the book talks initially about setting up a separate primary and secondary CA, but after mentioning that these should go on a separate server, only details how to do it on the puppet master. Putting the CA function on a different server is not a trivial thing and I spent a few hours yesterday reading between the lines, trying to work out how to put in on a separate server, and finally gave up about 1am this morning. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
HI Doug, I am also facing the same issue after following the steps from the book. I tried with nginx and passenger and i mentioned it on the following post. http://groups.google.com/group/puppet-users/browse_thread/thread/44bc89455ccc311a# Regards, Kevin> > > > > > > > Douglas Garstang wrote: > > > Well, this is frustrating. > > > > Let''s say I have two puppet masters, where one is active, and the other > > > is a hot stand by. Obviously each is going to have a different FQDN. > > > Everything will work fine when the client talks to the server that > > > signed it''s certificate. However, after a failover to the secondary > > > master, it''s all going to fail because the FQDN of the master will not > > > match. > > > > I''ve been searching around, reading the mailing list, and am surprised > > > to find very little information on this. The new "Pro Puppet" book skims > > > over this detail. You''d think they''d have some proof it before selling > > it. > > > Douglas > > > Did you read the chapter carefully? The Front End Load Balancer > > Configuration section explains this pretty clearly. > > Several times. Starts on page 99. Can''t find any reference to it. > > Also, I''d like to point out, that the book talks initially about setting up > a separate primary and secondary CA, but after mentioning that these should > go on a separate server, only details how to do it on the puppet master. > Putting the CA function on a different server is not a trivial thing and I > spent a few hours yesterday reading between the lines, trying to work out > how to put in on a separate server, and finally gave up about 1am this > morning. > > Doug.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Douglas Garstang
2011-Aug-01 15:18 UTC
Re: [Puppet Users] Re: Master failover and cert names.
On Mon, Aug 1, 2011 at 8:03 AM, linuxbsdfreak <linuxbsdfreak@gmail.com>wrote:> HI Doug, > > I am also facing the same issue after following the steps from the > book. I tried with nginx and passenger and i mentioned it on the > following post. > > > http://groups.google.com/group/puppet-users/browse_thread/thread/44bc89455ccc311a# > > Regards, > Kevin > >Thanks for the reply Kevin. Good to know I''m not the only one. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.