Displaying 20 results from an estimated 26 matches for "certdnsnames".
2010 Nov 04
0
certdnsnames question
Hi All
Apologies if this is obvious, but I''m a bit flaky around SSL certificates.
NB puppet version 0.25.5
We use the brilliant feature of certificates where you can have Alternate
DNS names for a certificate which is manifested in the puppet master config
file as certdnsnames. All our clients connect to puppet-$
location.example.com, and if $location is down, we can point the CNAME to
another puppet server which has the original puppet-$location in the puppet
servers certificate. All puppet servers get the same certificate
When we bring on a new DC, we just update the...
2009 Jun 24
1
puppetrun and certs - CA certdnsnames?
...clients
(I''ve setup 4 so far) pull their configs from the master fine, either
running `puppetd --no-daemonize --verbose --listen
--server=puppet-mgmt.mydomain.com` or through the init script. Each host
has certname= specified in their puppet.conf [puppetd] section as the
FQDN, and also has certdnsnames= hostname-mgmt.mydomain.com defined
there. However, when I try (from the puppetmaster) to puppetrun
--host=hostname.mydomain.com, I get a HTTP-Error 500 from puppetrun and
in the client logs, I see:
notice: Denying unauthenticated client puppet.mydomain.com(192.168.0.10)
access to puppetrunner.run...
2012 Aug 21
3
mcollective getaddrinfo: Name or service not known
...I know the above error is commonly related to DNS but I''m not sure where
the disconnect it. These are brand new agent installations. server field in
the agent puppet.conf is the server hostname which is also the listed
certname shown when ''puppet master --configprint certname,certdnsnames'' is
typed from the server (certdnsname is blank).
Any help or direction?
Thanks -- James
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/...
2009 Apr 20
2
CA different than hostname?
...clients to connect via a cname as
puppet.example.com. Is this pretty standard? Is there some more common
way?
puppetmaster seems to want to create the CA certs as
puppet1.example.com. I assume one of the configuration parameters would
tell it otherwise. I''m not sure which. From the docs, certdnsnames
sounds right, though I don''t know which section of the config file to
put it in.
thanks
seph
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email...
2011 Oct 24
3
Important Security Announcement: AltNames Vulnerability [new version of puppet]
We have discovered a security vulnerability (“AltNames Vulnerability”)
whereby a malicious attacker can impersonate the Puppet master using
credentials from a Puppet agent node. This vulnerability cannot cross
Puppet deployments, but it can allow an attacker with elevated
privileges on one Puppet-managed node to gain control of any other
Puppet-managed node within the same infrastructure.
All
2011 Jan 18
3
Failed SSL with CNAME'd puppetserver
...ppet-new.domain through the CNAME)?
node# puppetd --test --server=puppet-old.domain
err: Could not retrieve catalog from remote server: hostname was not match
with the server certificate
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
I tried fiddling with certdnsnames on both the server side and the client
side, but without effect.
The reason I want this to work is because I want to be able to remove the
puppet-old server without having to wait for every single node. There are
dozens who haven''t connected to the puppet-old server in quite a while for
v...
2011 Oct 24
0
Announce: Puppet 2.6.12 Available [security update]
...tion` for server keys.
d66def9 (#2848) Only mark `subjectAltName` critical if `subject` is empty.
8174047 (#2848) Migrate `dns-alt-names` back to settings.
f18df2b Wire up the `setbycli` slot in Puppet settings.
efa61f2 (#2848) rename subject-alt-name option to dns-alt-names
f103b20 (#2848) Rename `certdnsnames` to match new behaviour.
363b47b (#2848) Use `certdnsnames` when bootstrapping a local master.
49334ff (#2848) CSR subjectAltNames handling while signing.
5f2af93 (#2848) List subject alt names in output of puppet cert --list
bb475ec (#7224) Add a helper to Puppet::SSL::Certificate to retrieve
alte...
2012 Feb 27
1
Using puppet cert generate on a client -- why doesn't this work?
...pet/ssl/ca/ca_crl.pem": (ensures absent, we
don''t need them in our environment.)
Then, in order to generate the ssl certs for the webservice, I generate this:
# If this isn''t working, try puppet cert clean $::fqdn first
exec {"/usr/bin/puppet cert --generate --certdnsnames $aliases $::fqdn":
creates => ["/var/lib/puppet/ssl/certs/${::fqdn}.pem",
"/var/lib/puppet/ssl/private_keys/${::fqdn}.pem",
"/var/lib/puppet/ssl/public_keys/${::fqdn}.pem",
"/var/lib/puppe...
2011 Apr 06
4
SSL issues: Separate CA, multiple load balanced masters
...returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed
At startup, I''m running ntpdate (I''ve read in a lot of places that
this error occurs when date between servers is different, it''s not).
My setup is:
CA: puppet.mydomain.com with config:
certdnsnames = puppet.mydomain.com
certname = puppet.mydomain.com
server = puppet.mydomain.com
Masters behind an Amazon ELB, with config:
certdnsnames = master.mydomain.com
ca_server = puppet.mydomain.com
server = master.puppet.3ev.info
ca = false
Does anyone have any idea why this might happen?
--
You rece...
2009 Apr 28
2
Puppet Mongrel Load Balancing + CNAME
Hi I am reading and configuring puppet in relation to
http://reductivelabs.com/trac/puppet/wiki/UsingMongrelOnEnterpriseLinux
The question I have is in relation to the ssl certificates generated
the first time the puppetmaster service is run and the ability to use
a CNAME.
If the host that i am running the puppetmaster on is
server.example.com and i want to use puppet.example.com as a CNAME
that
2009 Nov 13
2
Multihomed puppet-server Multidomain SSL Problem
Hello List,
I have a problem with the CA on my Puppetmaster. This Puppetmaster is
connected to different Networks with different sub domainnames. The Puppet
clients connecting via different Interfaces. There is no routing between
subnets. Only one subnet can connect successfully. This is because the
subject in the Certificate is the name of this subnet. All other clients get:
Could not
2011 Jul 08
2
Puppetmaster setup with separate CA server configuration help
...IP address and also running
puppetmaster with passenger under 127.0.0.1 (port 8140).
primaryca - Puppetmaster Primary CA
pclient - Puppet Client
The did the following steps:
On Primary CA server:
----------------------------
cd /var/lib/puppet/
puppetca generate
puppet cert -g loadbalancer01 --
certdnsnames=puppetmaster:loadbalancer01
puppet cert -g primaryca --certdnsnames=puppetmaster:primaryca
scp private_keys/loadbalancer01.pem root@loadbalancer01:/var/lib/
puppet/ssl/private_keys/
scp ca/signed/loadbalancer01.pem root@loadbalancer01:/var/lib/puppet/
ssl/certs/
scp ca/ca_crt.pem root@loadbalancer...
2010 Sep 08
25
Setup 2.6 + apache, passenger
Hi!
I''m testing Puppet 2.6 and got all the basic stuff working with the
default webricks. I read that it doesn''t scale very well and is not
suited for production environments and the recommended setup is Apache/
Passenger.
Is there a step-by-step-guide on how to set it up?
Any help is very appreciated.
Regards,
Freddie
--
You received this message because you are subscribed
2011 Apr 14
10
allow_duplicate_certs = true not working?
I saw this feature became available in 2.7.0rc1 and wanted to try it
out. I entered ''allow_duplicate_certs = true'' on both my master and
agent systems in the puppet.conf (not sure if its need in both, saw it
in genconf for puppetd and puppetmasterd though ...). I also have
autosign.conf configured to allow autosigning for our domain
(*.domain.com). I had my agent register with
2011 Dec 16
12
Seperate CA's/Master behind load balancer
Hello,
Attempting to setup a CA primary/standby as well as seperate
puppetmaster servers (all running Apache/Passenger) behind another
Apache/Passenger type load balancer.
Clients are not getting certs:-
err: Could not request certificate: Could not intern from s: nested
asn1 error
Clearly an SSL issue but not something I know a great deal about.
loadbalancer.conf
# Puppet Load Balancing
2011 Dec 01
3
Announce: Puppet 2.7.8rc1 available
...Redmine site, using an affected
version of 2.7.8rc1
http://projects.puppetlabs.com/projects/puppet
Documentation is available at: http://docs.puppetlabs.com/index.html
# 2.7.8rc1
##10739 Provide default subjectAltNames while bootstrapping master
Prior to #2848 (CVE-2011-3872), if Puppet[:certdnsnames] was not set,
puppet would add default subjectAltNames to any non-CA cert it signed,
including agent certs. The subjectAltNames were of the form:
DNS:puppet, DNS:<fqdn>, DNS:puppet.<domain>
The fix for #2848, prevented subjectAltNames from ever being
implicitly a...
2008 Dec 18
3
errors after 0.24.7 upgrade ..
...rlog = $logdir/puppetmaster.log
manifestdir = /opt/puppet/manifests
bucketdir = /opt/puppet/bucket
autoflush = true
logdir = /var/log/puppet
ssldir = $vardir/ssl
factpath = $vardir/lib/facter
vardir = /var/lib/puppet
rundir = /var/run/puppet
pluginsync = true
certdnsnames = puppet:< removed >
report = true
configtimeout = 300
puppetdlog = $logdir/puppetd.log
splaylimit = 1800
splay = true
runinterval = 3600
ca_port = 8145
[puppetmasterd]
storeconfigs = true
dbadapter = mysql
dbname = puppet
dbuser = puppet
dbpass...
2011 Jan 13
5
Problem restarting the agent
Just installed Puppet 2.6.4 on Ubuntu 10.10
I was trying to restart the puppet agent but got the following error
and the agent didn''t run:
$ sudo puppetd --server server.domain.com --waitforcert 60 --test
err: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed
warning: Not using cache on failed
2009 Jun 10
2
Moving to new puppetmaster - certificates
Unfortunately I haven''t been able to find anything in the docs...
I just built a new puppetmaster to replace my testing install on an old
box. The hostname is different, and obviously the master certificates
are different. What needs to be done to the clients to get them to play
nice with the new box?
Thanks,
Jason Antman
--~--~---------~--~----~------------~-------~--~----~
You
2010 Jun 20
8
bringing puppet into production
Hi everyone,
I’ve been working on getting puppet set up for our systems for the
past week, and all has gone well in learning about writing manifests,
but now that I’m ready to set it into production, I realize that it’s
still unclear to me exactly how that’s supposed to go.
For instance, during testing it has always been that I manually
started and stopped puppetd and puppetmasterd on their