Issue #11431 has been updated by Jo Rhett.
FYI, I think there might be a very basic issue at the core of this. We use a different vardir for the server than for the client. It would appear that running puppet as the user gets a different configuration than running it as root. I'm not quite sure why that is. If "puppet kick" needs the server's key file, then I believe that the appropriate fix is to read the [server] part of the configuration file no matter which user is invoking it. ---------------------------------------- Bug #11431: puppet kick failing with "hostname not match with the server certificate" unless ssldir is specified https://projects.puppetlabs.com/issues/11431#change-67178 Author: Jo Rhett Status: Accepted Priority: Normal Assignee: Category: agent Target version: Affected Puppet version: 2.6.12 Keywords: Branch: When we last tried out puppet kick, we just did: <pre> puppet kick -t tag $host1 $host2 </pre> …from any host listed in the “path /run” part of auth.conf. We finally cleaned up to use tags instead of environments, went to roll out the new changes and found that the exact same commands now return: <pre> Host (hostname) failed: hostname not match with the server certificate </pre> We have found that puppet kick now works only from hosts which can mount the puppet server’s var directory and specify it on the command line: <pre> puppet kick -t tag —ssldir=/(server’s)/puppet/var/ssl $host </pre> puppet.conf on master <pre> [main] ssldir = $vardir/ssl [master] vardir = /nas/puppet/var </pre> Old description of ticket: The page at http://docs.puppetlabs.com/man/kick.html says > You will most likely have to run 'puppet kick' as root to get access to the > SSL certificates. Please document which certificates that puppet kick uses. Does it need to read the server's CA cert, or the individual hostname certs? I have found that it needs access to the ssldir of the server, not the client from where you are running kick. To avoid having to add --ssldir or --vardir to every puppet kick invocation, it would help if we can put this in a section of the puppet.conf file. Can we do something like this? (my example below doesn't appear to work. <pre> [kick] vardir = /servers/var/dir </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
