Puppet users - Oct 2012 - puppet ca generate --dns-alt-names

I''m trying to generate a CA certificate that will be used on multiple 
puppet masters, accessed by round robin DNS.

The individual nodes have their own hostnames and the round robin name 
is puppet.resnet.bris.ac.uk or puppet.resnet.bristol.ac.uk (the twin 
domain name for Bristol university is historical, and a total pain).

However I''m having trouble with puppet ca as follows:

[jg4461@puppet1 ~]$ sudo puppet ca generate --dns_alt_names 
puppet.resnet.bris.ac.uk
Error: puppet ca generate takes 1 argument, but you gave 0
Error: Try ''puppet help ca generate'' for usage

[jg4461@puppet-1 ~]$ sudo puppet ca generate 
--dns_alt_names=puppet.resnet.bris.ac.uk, puppet.resnet.bristol.ac.uk
Error: The certificate retrieved from the master does not match the 
agent''s private key.
To fix this, remove the certificate from both the master and the agent 
and then start a puppet run, which will automatically regenerate a 
certficate.
On the master:
   puppet cert clean puppet1.resnet.bris.ac.uk
On the agent:
   rm -f /var/lib/puppet/ssl/certs/puppet1.resnet.bris.ac.uk.pem
   puppet agent -t

[jg4461@puppet1 ~]$ puppet --version
3.0.1


Am I doing something wrong, or is something broken?

Thanks,
Jonathan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, Oct 23, 2012 at 2:24 AM, Jonathan Gazeley <
jonathan.gazeley@bristol.ac.uk> wrote:
> I''m trying to generate a CA certificate that will be used on
multiple
> puppet masters, accessed by round robin DNS.
>
> The individual nodes have their own hostnames and the round robin name is
> puppet.resnet.bris.ac.uk or puppet.resnet.bristol.ac.uk (the twin domain
> name for Bristol university is historical, and a total pain).
>
> However I''m having trouble with puppet ca as follows:
>
> [jg4461@puppet1 ~]$ sudo puppet ca generate --dns_alt_names
> puppet.resnet.bris.ac.uk
> Error: puppet ca generate takes 1 argument, but you gave 0
> Error: Try ''puppet help ca generate'' for usage
>
This command adds "puppet.resnet.bris.ac.uk" to the x.509 alternate
names
field, but Puppet is still expecting the value of the common name.  If the
common name is "foo.resnet.bris.ac.uk" then try the command: sudo
puppet ca
generate --dns_alt_names puppet.resnet.bris.ac.uk foo.resnet.bris.ac.uk.

>
> [jg4461@puppet-1 ~]$ sudo puppet ca generate --dns_alt_names>
puppet.resnet.**bris.ac.uk <http://puppet.resnet.bris.ac.uk>,
> puppet.resnet.bristol.ac.uk
>
Did you mean to have a space between the comma and the next word here?

> Error: The certificate retrieved from the master does not match the
> agent''s private key.
>
This error happens when the CSR you''re trying to sign already has a
signed
certificate.  In this scenario, Puppet does not sign the CSR and instead
simply returns the already present certificate.

> To fix this, remove the certificate from both the master and the agent and
> then start a puppet run, which will automatically regenerate a certficate.
> On the master:
>   puppet cert clean puppet1.resnet.bris.ac.uk
> On the agent:
>   rm -f /var/lib/puppet/ssl/certs/**puppet1.resnet.bris.ac.uk.pem
>   puppet agent -t
>
> [jg4461@puppet1 ~]$ puppet --version
> 3.0.1
>
>
> Am I doing something wrong, or is something broken?
>
It doesn''t seem like anything is broken beyond the normal difficulties
with
x.509 certificates.  It just seems like there''s an already existing
certificate named "puppet1.resnet.bris.ac.uk"

Hope this helps,
-Jeff

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.