similar to: How to update CA cert?

Hi, suppose puppet-old.domain is a CNAME pointing to puppet-new.domain, and puppet-new.domain is running Apache (for SSL) with mod_proxy_balancer to balance over some 10 puppetmaster processes. The configured SSLCertificateFile in Apache is that of puppet-new.domain How do I get a node to stop complaining when connecting to puppet-old.domain (ending up at puppet-new.domain through the CNAME)?

Hi, I have a the annoying problem that the puppet master cannot connect to itself. It fails with: puppet# puppetd --test err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert decrypt error History: I have had this problem on our old puppet server: puppet.domain.com. It was annoying but not critical. Recently I built a new

Can anyone validate this? I am attempting to run the puppet cert/ca standlone commands. I am running form an unchanged master branch and if I run (simplified for the example): puppet cert generate host the resulting ca_key.pem is not encrypted. If I run : puppet ca generate host the resulting ca_key.pem is encrypted. In both cases the ca.pass file is created but the code path through cert does

Hi, I''m trying to develop a manifest to setup a new puppet master. To solve the SSL certificates I''ve created a root CA outside of puppet, and have generated an intermediate CA for the new puppet master to use. I''ve also configured my puppetmaster daemon to use it''s own ssl directory. So the new puppetmaster is at the same time a client of the old puppet

Hi, I''m rolling out a new Puppet install and am having some problems with certs. I''ve googled and read the docs but can''t find anything. Almost all boxes on the network are dual-homed, with a primary network (VLAN, /27 subnet) for public data and an admin/management network for backups and other backend stuff. All hosts have a primary interface on the main network (and

Hello, I''m trying to get puppet-dashboard installed on a CentOS 6.3 machine running puppet v3.0.1. I''m following the puppet-dashboard documentation here: http://docs.puppetlabs.com/dashboard/manual/1.2/configuring.html In the documentation page linked above, it says: Puppet uses SSL certificates to control who can make requests to the puppet > master, so Dashboard has

When I did my initial testing, I was running puppet on a network with an existing dhcp server. The puppet master received it''s ip from that server. On the puppet master I ran my own dhcp server with next-server configured to point to the puppet master and to deny unknown hosts. This allowed me to use cobbler for just the specific machines I wanted to. Everything worked fine. Now

Hi, Are people using puppet to store/deploy SSL key/cert info? My scenario is that I''ve got a bunch of nodes/hosts that are using Shibboleth with each host having its own SSL cert and key. I know I can ensure the relevant packages are installed and that the configs are consistent across said nodes, but I don''t know: A) If people are using puppet to store the certs/keys for

I''m running a two headed puppetmaster and have disabled crl''s. Let''s call them the primary and the secondary. The primary and secondary both use the primary as their master. The secondary only is used when the primary isn''t responding (I wrap the puppetd call in cron with a short shell script) I''m managing these ca files on the masters, pushing

I''m assuming this is possible, but I can''t find a good starting point anywhere, so I''m hoping someone here can help. What I want to do is, somewhere in the cert approval process, run an extra check before saying yes. I have a puppet master running with auto sign turned on, I bring up a puppet agent, it connects, authenticates and all is good. What I''d like

I need to programmatically remove cert from Puppet master and remove all information in Puppet DB for a node from another machine which is neither Puppet Master or PuppetDB. It does have a Puppet signed cert since it is also provisioned using Puppet. I can''t find any decent documentation on this. I am using the Community Edition. Any pointers / help is appreciated. Rajul -- You

What does this message mean: [root@pirates puppet]# rm -rf /var/lib/puppet/ssl/ [root@pirates puppet]# puppet cert --version 2.6.3 [root@pirates puppet]# puppet cert notice: Signed certificate request for ca notice: Rebuilding inventory file Invalid method to apply It seems to have created the ca and other things just fine. Thanks, Mohamed. -- You received this message because you are

Hi, Just wondering if anyone had any similar issues OR idea''s on troubleshooting the following problem. I have a client/node registered to the puppet master and it is working without any issues. On the server I can see it compile the catalog in the logs. However when I run ''puppet cert --list --all'' it is not in the list. Note we use auto signing

OK... I started seeing some issues with the certificates between my clients and the puppetmaster. So I went ahead and removed puppet from the clients and cleaned up /var/lib/puppet and /etc/puppet. Then I reinstalled puppet, signed the new cert and things seemed to go OK after that. Then the shocker the second run started to fail and i have this message: [root@atlcnag0 ~]# puppetd --test

Can someone, anyone, help me understand what it takes -- if indeed it''s even possible -- to use a custom CA with puppetmasterd. Such that, for every client it signs, the cert for that client actually says something meaningful about my organization, and was ultimately signed by our own root CA. I made a valid sub-CA for my puppet server, signed by my organization''s root CA. I

Puppet version: 2.7.14 Puppet master behind apache with mod_proxy load balancer. I am able to authenticate with the cert as per these headers: Accept: s X-SSL-Subject: /CN=puppetagent1.example.com X-Client-DN: /CN=puppetagent1.example.com X-Client-Verify: SUCCESS Any idea what this error means ? I share my ssl dir on the load balancer and the puppet master. -- You received this message

Hey all, after installing the 3.0.0 version of puppet (debian package from puppetlabs), doing the initial config, doing an initial start of master to generate the certs needed and then starting apache with passenger to control puppetmaster. I can do: puppet ca list --all and get a listing of the certs in the system (initially only the master). afterwards, on the client node, I run: puppet

Bunch of weird stuff after a power failure here this morning. One of my virtual servers, managed through puppet, seems to not be talking to the master any more. And I can''t get it to reconnect. I did puppetca --clean on the master, cleaned off certs on the client, started puppetd manually on the client, and got this: sh-3.2# rm -rf /var/lib/puppet/ssl/ sh-3.2# puppetd --server

I''m trying to setup a puppetmaster, and I''ve got a couple of questions. The first, is a design question. Since I expect to eventually have multiple puppetmaster servers, I''d like to name this one to be named puppet1.example.com. But I''d like my clients to connect via a cname as puppet.example.com. Is this pretty standard? Is there some more common way?

Hello Puppet Users, I have encountered an interaction problem between the Puppet CA and Apache mod_ssl, when the Puppet CA configuration files are moved. By default Puppet CA and the Puppet client share the same location for their configuration files, $vardir/ssl. If this is changed so that they use different directories, and Apache mod_ssl is being used like in the Mongrel configuration, then