search for: certdnsnames

Hi All Apologies if this is obvious, but I''m a bit flaky around SSL certificates. NB puppet version 0.25.5 We use the brilliant feature of certificates where you can have Alternate DNS names for a certificate which is manifested in the puppet master config file as certdnsnames. All our clients connect to puppet-$ location.example.com, and if $location is down, we can point the CNAME to another puppet server which has the original puppet-$location in the puppet servers certificate. All puppet servers get the same certificate When we bring on a new DC, we just update the...

...clients (I''ve setup 4 so far) pull their configs from the master fine, either running `puppetd --no-daemonize --verbose --listen --server=puppet-mgmt.mydomain.com` or through the init script. Each host has certname= specified in their puppet.conf [puppetd] section as the FQDN, and also has certdnsnames= hostname-mgmt.mydomain.com defined there. However, when I try (from the puppetmaster) to puppetrun --host=hostname.mydomain.com, I get a HTTP-Error 500 from puppetrun and in the client logs, I see: notice: Denying unauthenticated client puppet.mydomain.com(192.168.0.10) access to puppetrunner.run...

...I know the above error is commonly related to DNS but I''m not sure where the disconnect it. These are brand new agent installations. server field in the agent puppet.conf is the server hostname which is also the listed certname shown when ''puppet master --configprint certname,certdnsnames'' is typed from the server (certdnsname is blank). Any help or direction? Thanks -- James -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/...

...clients to connect via a cname as puppet.example.com. Is this pretty standard? Is there some more common way? puppetmaster seems to want to create the CA certs as puppet1.example.com. I assume one of the configuration parameters would tell it otherwise. I''m not sure which. From the docs, certdnsnames sounds right, though I don''t know which section of the config file to put it in. thanks seph --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email...

We have discovered a security vulnerability (“AltNames Vulnerability”) whereby a malicious attacker can impersonate the Puppet master using credentials from a Puppet agent node. This vulnerability cannot cross Puppet deployments, but it can allow an attacker with elevated privileges on one Puppet-managed node to gain control of any other Puppet-managed node within the same infrastructure. All

...ppet-new.domain through the CNAME)? node# puppetd --test --server=puppet-old.domain err: Could not retrieve catalog from remote server: hostname was not match with the server certificate warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I tried fiddling with certdnsnames on both the server side and the client side, but without effect. The reason I want this to work is because I want to be able to remove the puppet-old server without having to wait for every single node. There are dozens who haven''t connected to the puppet-old server in quite a while for v...

...tion` for server keys. d66def9 (#2848) Only mark `subjectAltName` critical if `subject` is empty. 8174047 (#2848) Migrate `dns-alt-names` back to settings. f18df2b Wire up the `setbycli` slot in Puppet settings. efa61f2 (#2848) rename subject-alt-name option to dns-alt-names f103b20 (#2848) Rename `certdnsnames` to match new behaviour. 363b47b (#2848) Use `certdnsnames` when bootstrapping a local master. 49334ff (#2848) CSR subjectAltNames handling while signing. 5f2af93 (#2848) List subject alt names in output of puppet cert --list bb475ec (#7224) Add a helper to Puppet::SSL::Certificate to retrieve alte...

...pet/ssl/ca/ca_crl.pem": (ensures absent, we don''t need them in our environment.) Then, in order to generate the ssl certs for the webservice, I generate this: # If this isn''t working, try puppet cert clean $::fqdn first exec {"/usr/bin/puppet cert --generate --certdnsnames $aliases $::fqdn": creates => ["/var/lib/puppet/ssl/certs/${::fqdn}.pem", "/var/lib/puppet/ssl/private_keys/${::fqdn}.pem", "/var/lib/puppet/ssl/public_keys/${::fqdn}.pem", "/var/lib/puppe...

...returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed At startup, I''m running ntpdate (I''ve read in a lot of places that this error occurs when date between servers is different, it''s not). My setup is: CA: puppet.mydomain.com with config: certdnsnames = puppet.mydomain.com certname = puppet.mydomain.com server = puppet.mydomain.com Masters behind an Amazon ELB, with config: certdnsnames = master.mydomain.com ca_server = puppet.mydomain.com server = master.puppet.3ev.info ca = false Does anyone have any idea why this might happen? -- You rece...

Hi I am reading and configuring puppet in relation to http://reductivelabs.com/trac/puppet/wiki/UsingMongrelOnEnterpriseLinux The question I have is in relation to the ssl certificates generated the first time the puppetmaster service is run and the ability to use a CNAME. If the host that i am running the puppetmaster on is server.example.com and i want to use puppet.example.com as a CNAME that

Hello List, I have a problem with the CA on my Puppetmaster. This Puppetmaster is connected to different Networks with different sub domainnames. The Puppet clients connecting via different Interfaces. There is no routing between subnets. Only one subnet can connect successfully. This is because the subject in the Certificate is the name of this subnet. All other clients get: Could not

...IP address and also running puppetmaster with passenger under 127.0.0.1 (port 8140). primaryca - Puppetmaster Primary CA pclient - Puppet Client The did the following steps: On Primary CA server: ---------------------------- cd /var/lib/puppet/ puppetca generate puppet cert -g loadbalancer01 -- certdnsnames=puppetmaster:loadbalancer01 puppet cert -g primaryca --certdnsnames=puppetmaster:primaryca scp private_keys/loadbalancer01.pem root@loadbalancer01:/var/lib/ puppet/ssl/private_keys/ scp ca/signed/loadbalancer01.pem root@loadbalancer01:/var/lib/puppet/ ssl/certs/ scp ca/ca_crt.pem root@loadbalancer...

Hi! I''m testing Puppet 2.6 and got all the basic stuff working with the default webricks. I read that it doesn''t scale very well and is not suited for production environments and the recommended setup is Apache/ Passenger. Is there a step-by-step-guide on how to set it up? Any help is very appreciated. Regards, Freddie -- You received this message because you are subscribed

I saw this feature became available in 2.7.0rc1 and wanted to try it out. I entered ''allow_duplicate_certs = true'' on both my master and agent systems in the puppet.conf (not sure if its need in both, saw it in genconf for puppetd and puppetmasterd though ...). I also have autosign.conf configured to allow autosigning for our domain (*.domain.com). I had my agent register with

Hello, Attempting to setup a CA primary/standby as well as seperate puppetmaster servers (all running Apache/Passenger) behind another Apache/Passenger type load balancer. Clients are not getting certs:- err: Could not request certificate: Could not intern from s: nested asn1 error Clearly an SSL issue but not something I know a great deal about. loadbalancer.conf # Puppet Load Balancing

...Redmine site, using an affected version of 2.7.8rc1 http://projects.puppetlabs.com/projects/puppet Documentation is available at: http://docs.puppetlabs.com/index.html # 2.7.8rc1 ##10739 Provide default subjectAltNames while bootstrapping master Prior to #2848 (CVE-2011-3872), if Puppet[:certdnsnames] was not set, puppet would add default subjectAltNames to any non-CA cert it signed, including agent certs. The subjectAltNames were of the form: DNS:puppet, DNS:<fqdn>, DNS:puppet.<domain> The fix for #2848, prevented subjectAltNames from ever being implicitly a...

...rlog = $logdir/puppetmaster.log manifestdir = /opt/puppet/manifests bucketdir = /opt/puppet/bucket autoflush = true logdir = /var/log/puppet ssldir = $vardir/ssl factpath = $vardir/lib/facter vardir = /var/lib/puppet rundir = /var/run/puppet pluginsync = true certdnsnames = puppet:< removed > report = true configtimeout = 300 puppetdlog = $logdir/puppetd.log splaylimit = 1800 splay = true runinterval = 3600 ca_port = 8145 [puppetmasterd] storeconfigs = true dbadapter = mysql dbname = puppet dbuser = puppet dbpass...

Just installed Puppet 2.6.4 on Ubuntu 10.10 I was trying to restart the puppet agent but got the following error and the agent didn''t run: $ sudo puppetd --server server.domain.com --waitforcert 60 --test err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed

Unfortunately I haven''t been able to find anything in the docs... I just built a new puppetmaster to replace my testing install on an old box. The hostname is different, and obviously the master certificates are different. What needs to be done to the clients to get them to play nice with the new box? Thanks, Jason Antman --~--~---------~--~----~------------~-------~--~----~ You

Hi everyone, I’ve been working on getting puppet set up for our systems for the past week, and all has gone well in learning about writing manifests, but now that I’m ready to set it into production, I realize that it’s still unclear to me exactly how that’s supposed to go. For instance, during testing it has always been that I manually started and stopped puppetd and puppetmasterd on their