[Puppet Enterprise - Bug #7333] (Unreviewed) certdnsnames are not being used correctly during puppetmasterd cert generation

Tue, 03 May 2011 06:00:07 -0700 

Issue #7333 has been reported by Ken Barber.

----------------------------------------
Bug #7333: certdnsnames are not being used correctly during puppetmasterd cert 
generation
https://projects.puppetlabs.com/issues/7333

Author: Ken Barber
Status: Unreviewed
Priority: Normal
Assignee: 
Category: installer
Target version: 
Keywords: ssl
Branch: 
Affected PE version: 1.0.0


So users may get this error after installation, when pointing a remote system 
at the puppetmaster:

ertificate failure for localhost: Server name does not match certificate: 

And when looking at the certificate using:

openssl x509 -in certificate.pem -noout -text

The aliases for the certificate do not match the server.



In the case where the alias is one of the items that you provided in the list 
during installation of PE, the fault may be with the installer. In the 
puppet-enterprise-installer script (line 1928) we are using this syntax to 
generate the certificates:

run "/opt/puppet/bin/puppet cert --generate ${q_puppetmaster_certname?} 
--certdnsnames '${q_puppetmaster_certname?}:puppet' --verbose --color=false || 
true

However, this is not using the list we ask earlier ie. 
q_puppetmaster_certdnsnames?

So the line should be something like:

run "/opt/puppet/bin/puppet cert --generate ${q_puppetmaster_certname?} 
--certdnsnames '${q_puppetmaster_certdnsnames?}:puppet' --verbose --color=false 
|| true

The workaround is to drop the certificates after creation:

rm -rf /etc/puppetlabs/puppet/ssl

And then regenerate manually with the above command:

/opt/puppet/bin/puppet cert --generate ${q_puppetmaster_certname?} 
--certdnsnames '${q_puppetmaster_certdnsnames?}:puppet' --verbose --color=false

(replacing variables manually)


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to