On Thursday, September 14, 2017 at 9:20:48 PM UTC-7, Justin DynamicD wrote: > > So a curious problem was discovered today and I"m not entirely sure if > it's a puppet or a foreman issue, so I figured I'd break out the layout: > > *The Design* > We have a foreman/puppet all-in-one server. It has been setup in the > domain samplecompany.com. We are leveraging Foreman as an ENC, so if you > follow the class roles/profiles structure, our profiles are defined in > puppet, but our roles are handled by Foreman groups. So we join computer > to a group in foreman and the appropriate profiles are applied. Simple > enough. > > *The Culprit* > enter the wildcard. a wildcard entry was added to the domain as a CNAME. > So *.samplecompany.com resolved to someserver.samplecompany.com. In > this case, said server had puppet and ll the fixings in place. > > *Triggering the Problem* > enter the new computer. Someone from somewhere deploys a new computer > from an image, which then fires up on DHCP and the puppet agent kicks in. > Lets call it newserver. Below is what I see happening: > > > 1. Newserver comes online and requests a certificate with the name > newserver.samplecompany.com (cool) > 2. foreman issues said certificate > 3. puppet run kicks off > 4. foreman/puppet applies the configuration for > someserver.samplecompany.com (!) > 5. foreman reports for the run show up in someserver.samplecompany.com > (!) > > So basically, despite the correct certificate being issued, the server > runs the _wrong_ file set of profiles and the results get reported to the > _wrong_ server. The actual server (newserver) basically never appears in > as a host, and never gets audited properly until a DNS A record is added. > > So the big question: what? why is a system successfully getting a > certificate with the correct name but then apparently doing some kind of > ip/name validation? Isn't the entire point of that certificate for > identity? Also, is that validation happening from puppet or foreman (as it > determines the profiles as the ENC)? Finally: is this maybe a cname > thing? would flipping it to a records fix this (doubt it ... but hey. lets > ask). > > Anyone run into this? >
-- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
