Puppet – How to Add Multiple DNS Names to Puppetmaster

certificatedomain-name-systempuppet

my puppet.conf on the master

[master]
certname = myname.mydomain.com
ca_server = myname.mydomain.com
certdnsnames = puppet;puppet.local;myname.dyndns.org;hivemind.local;

for my understanding with the certdnsnames defined the following should work:

puppet agent --server myname.dyndns.org --test

but i get the following error:

err: Could not retrieve catalog from remote server: hostname was not match with the server certificate

how to avoid this error? how to correctly define certdnsnames? i have found diffent documentation about this, but no simple example. i i use "," for seperation i cannot sign at all.
i also have seen a syntax like

certdnsnames = puppet:puppet.intra.myserver.fr,puppet.myserver.fr:puppet,puppet:puppet,puppet.intra.myserver.fr,puppet.myserver.fr

http://projects.puppetlabs.com/issues/5776

but for me its not clear when to add a "puppet:" and when not.

Best Answer

For the benefit of anyone else who stumbles upon this answer:

Due to CVE-2011-3872, Puppet no longer supports the certdnsnames option. From the documentation:

The certdnsnames setting is no longer functional, after CVE-2011-3872. We ignore the value completely. For your own certificate request you can set dns_alt_names in the configuration and it will apply locally. There is no configuration option to set DNS alt names, or any other subjectAltName value, for another nodes certificate. Alternately you can use the --dns_alt_names command line option to set the labels added while generating your own CSR.

You can generate an SSL certificate for your server using subjectAlternativeName like this:

$ puppet cert generate <puppet master's certname> --dns_alt_names=<comma-separated list of DNS names>

Best Answer

Related Solutions

Certificate – What is a PEM File and How Does it Differ from Other OpenSSL Key Formats?

Puppetmaster don’t notice changes to site.pp

Related Topic