So a curious problem was discovered today and I"m not entirely sure if it's a puppet or a foreman issue, so I figured I'd break out the layout:
*The Design* We have a foreman/puppet all-in-one server. It has been setup in the domain samplecompany.com. We are leveraging Foreman as an ENC, so if you follow the class roles/profiles structure, our profiles are defined in puppet, but our roles are handled by Foreman groups. So we join computer to a group in foreman and the appropriate profiles are applied. Simple enough. *The Culprit* enter the wildcard. a wildcard entry was added to the domain as a CNAME. So *.samplecompany.com resolved to someserver.samplecompany.com. In this case, said server had puppet and ll the fixings in place. *Triggering the Problem* enter the new computer. Someone from somewhere deploys a new computer from an image, which then fires up on DHCP and the puppet agent kicks in. Lets call it newserver. Below is what I see happening: 1. Newserver comes online and requests a certificate with the name newserver.samplecompany.com (cool) 2. foreman issues said certificate 3. puppet run kicks off 4. foreman/puppet applies the configuration for someserver.samplecompany.com (!) 5. foreman reports for the run show up in someserver.samplecompany.com (!) So basically, despite the correct certificate being issued, the server runs the _wrong_ file set of profiles and the results get reported to the _wrong_ server. The actual server (newserver) basically never appears in as a host, and never gets audited properly until a DNS A record is added. So the big question: what? why is a system successfully getting a certificate with the correct name but then apparently doing some kind of ip/name validation? Isn't the entire point of that certificate for identity? Also, is that validation happening from puppet or foreman (as it determines the profiles as the ENC)? Finally: is this maybe a cname thing? would flipping it to a records fix this (doubt it ... but hey. lets ask). Anyone run into this? -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
