Ssl – puppet server hostname does not match certificate – can’t authenticate.

I know this question has been asked before in many different variant. I read all the post related to the problem but I cannot get agent and master talking to each other. I boot up 2 vm via vmwork station both running on linuxmint 17.

I'll start this thread by telling what's my /etc/hosts and /etc/hostname in client and puppetmaster looks like.

In my client's vm my host name in /etc/hostname looks like the following:

puppetclient

my client's vm hosts in /etc/hosts looks like the following:

127.0.0.1 localhost
127.0.1.1 puppetclient
192.168.75.143 puppetmaster

In my master's vm /etc/hostname looks like the following:

puppetmaster

My master's vm /etc/hosts looks like the following:

127.0.0.1 localhost
127.0.1.1 puppetmaster
192.168.75.144 puppetclient

My /etc/puppet/puppet.conf in my master looks like the following:

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

my /etc/puppet/puppet.conf in my client looks like the following:

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

[agent]
server=puppetmaster

I have many variant of puppet.conf during my search and I don't feel like posting here. One of the variant is to have server=puppetmasterin [main] in both my client and master's vm. Anyways, for all the puppet.conf variants i tried, my first error when I run sudo puppet agent --test is always warning: unable to fetch my node definitoin, but agent run will continue:the error after that is different for each variant of puppet.conf I implement. Can anyone tell me the right configuration for my setup?

Thanks

Best Answer

It seems that you installed and ran your puppet master first and then changed the hostname.

On puppet master execute: puppet config print certname This will show the certname your master uses. It should be equal to your hostname.

You can verify common name in master's certificate if it matches your hostname:

openssl x509 -noout -subject -in $(puppet config print ssldir)/certs/$(puppet config print certname).pem

Also I recommend using FQDN in puppet configuration. If hostname differs the easiest way is just to remove or rename SSL dir:

mv $(puppet config print ssldir){,_}

And restart your puppet master. You'll need to do that on client node as well, because CA will change.

Best Answer

Related Solutions

Migrating puppet clients to new puppetmaster

Puppet Cert Mismatch – Resolving Issues in EC2

1. manually generate the certifcate for the master

2. set dns_alt_names in puppet.conf

Related Topic