Issue #15697 has been updated by Corey Hickey.
We ran into this bug with puppet-2.7.17 in the context of trying to set up a CNAME puppet.example.com that pointed to dpuppet01.example.com--it failed the certificate check. <pre> /usr/sbin/puppetd --server=puppet.example.com --waitforcert=500 --environment=development --report --onetime --no-daemonize --verbose --onetime --no-daemonize --detailed-exitcodes [...] err: /File[/var/lib/puppet/lib]: Could not evaluate: Server hostname 'puppet.example.com' did not match server certificate; expected ca [...] </pre> Our certificate has puppet.example.com as an ALT name and all was well with openssl s_client. When we put 'server = puppet.example.com' into the [agent] section of puppet.conf, it worked fine. ---------------------------------------- Bug #15697: --server option is not overriding the puppet.conf settings https://projects.puppetlabs.com/issues/15697#change-87247 * Author: Gerard Hickey * Status: Needs More Information * Priority: Normal * Assignee: Gerard Hickey * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- On Monday I had a call with Gary Larizza, Nan Liu, and Arnan Outhaythip to look at a problem that I have been having with getting a pool of puppet masters running. From that call they asked that I submit this bug report. I am currently running Puppet open source 2.7.14 which I downloaded from yum.puppetlabs.com:/el/6Server/products/x86_64 The planned implementation currently is 3 puppet masters (listed below) running behind an F5 load balancer. The load balancer responds as puppet.vip.slc.ebay.com. Currently the first puppet master is also serving as the CA. Puppet masters: slc4b01c-713269.stratus.slc.ebay.com slc4b01c-713343.stratus.slc.ebay.com slc4b01c-7292.stratus.slc.ebay.com Pertinent DNS entries: puppet.vip.slc.ebay.com. 300 IN A 10.89.64.100 puppet-ca.vip.ebay.com. 300 IN CNAME slc4b01c-713269.stratus.slc.ebay.com. slc4b01c-713269.stratus.slc.ebay.com. 3600 IN A 10.94.12.44 Because of issues with the configuration of the load balancer, I have had to start doing my testing with the --server argument on the agent command line until the load balancer issues can be resolved. The original problem that triggered the call is that whenever I had an agent connect to a master it would error out with the following message: err: Could not retrieve catalog from remote server: Server hostname 'puppet-ca.vip.ebay.com' did not match server certificate; expected one of slc4b01c-713269.stratus.slc.ebay.com, DNS:puppet, DNS:puppet.vip.slc.ebay.com, DNS:slc4b01c-713269.stratus.slc.ebay.com warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run Working with Gary, Nan and Arnan we found that if the puppet.conf was updated with the physical hostnames of the puppet master (i.e. slc4b01c-713269.stratus.slc.ebay.com) instead of the VIP address (puppet.vip.slc.ebay.com), then the agent would connect correctly and there would not be a mismatch with the hostnames for the cert. For the short term I will run with physical names until this issue is resolved and released in the open source version. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
