Puppet users - Mar 2012 - X509v3 Subject Alternative Name in puppet generated certs...

I''m trying to split out my certificate authority and have one CA and
multiple masters, currently using round robin DNS, possibly using
HAproxy later.

Got most of the way there but tangled up in names and certificates.
When the Puppet CA generated it''s certificate the PTR record for
it''s
IP pointed back to it''s domain name ("henson") and it had a
CNAME
"puppet" and it happily answers to both names because it generated a
cert with:

               X509v3 Subject Alternative Name:
               DNS:henson.domain.com, DNS:puppet, DNS:puppet.domain.com

I''m in development mode so got it in my head I wanted at least two
masters (looking to support about 2k systems out of the gate with some
bursty coudiness ontop of that) so I lost the CNAME made puppet A
records this host''s IP and another ("burton") and added a
puppet-ca
CNAME to henson figuring I could just keep using the CA.

calling the systems by their "real" names as returned by
''facter fqdn''
or a reverslook up on thier IP works fine and "henson" is accepted as
"puppet" due to it''s altName list, but "burton"
(which was installed
as a normal client to get it''s initial signed cert) didn''t get
any
altName fields.

I''m OK with flushing all my certs and starting over, but I have a
couple of questions.  How does the puppet CA populate the altName
field? and can I make it do what I want for both the CA and the non-CA
servers or do I just need to suck it up, go get cozy with the openssl
docs and do the server certs by hand if I want them fancy like that?

Thanks,
-Jon

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, Mar 9, 2012 at 6:15 PM, Jonathan Proulx <jon@jonproulx.com> wrote:
> I''m OK with flushing all my certs and starting over, but I have a
> couple of questions.  How does the puppet CA populate the altName
> field? and can I make it do what I want for both the CA and the non-CA
> servers or do I just need to suck it up, go get cozy with the openssl
> docs and do the server certs by hand if I want them fancy like that?
Jon, what version of Puppet are you running?

I can''t seem to find a doc on this that isn''t release notes,
so we
should probably get a documentation bug in.

You can set ''dns_alt_names'' either in your puppet.conf or on
the
command line when the node generates a CSR.
Then you can use "allow-dns-alt-names" when signing the certificate on
the CA to approve those alt names.

Alternatively, you can use "puppet certificate generate" on the CA and
manually transmit the certificate/key to the node.

$ puppet help certificate sign
USAGE: puppet certificate sign [--terminus TERMINUS]
[--extra HASH]
<--ca-location LOCATION>
[--[no-]allow-dns-alt-names]
<host>

Sign a certificate signing request for HOST.

RETURNS: A string that appears to be (but isn''t) an x509 certificate.

OPTIONS:
  --mode MODE                    - The run mode to use (user, agent, or master).
  --render-as FORMAT             - The rendering format to use.
  --verbose                      - Whether to log verbosely.
  --debug                        - Whether to log debug information.
  --[no-]allow-dns-alt-names     - Whether or not to accept DNS alt names in the
                                   certificate request
  --ca-location LOCATION         - Which certificate authority to use (local or
                                   remote).
  --extra HASH                   - Extra arguments to pass to the indirection
                                   request
  --terminus TERMINUS            - The indirector terminus to use.

TERMINI: ca, file, rest

See ''puppet man certificate'' or ''man
puppet-certificate'' for full help.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Nigel,

Thanks for the fabulous response. I was convinced I was going to need to do
this by hand, happy to see my native pessimism proved wrong.

On Sat, Mar 10, 2012 at 4:23 PM, Nigel Kersten <nigel@puppetlabs.com>
wrote:
> Jon, what version of Puppet are you running?
2.7.11 on Debian/Squeeze from apt.puppetlabs.com

Thanks,
-Jon

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.