On Wed, 2010-04-21 at 15:58 -0700, Brian L. wrote: > I apologized ahead of time if this post shouldn't go here but I having > been knocking my heading for the last two days trying to get over the > following error while trying to "clone" my primary puppetmasterd > because we have outgrown one puppetmasterd setup. > > I have basically set up a 2nd instance of our primary puppetmasterd > and rsync'ed over /var/lib/puppet/ssl/ from the primary to the > secondary puppetmasterd. The client ran to completion (and recorded > the log in /var/lib/puppet/report/) but the file copying statement > were failing: > (see log below) > > Failed to generate additional resources during transaction: > Certificates were not trusted: hostname was not match with the server > certificate
This error happens on the client when the master sends a server certificate whose CN doesn't match the server hostname. Certainly it sent the server certificate of the puppetmaster1, while pretending to be puppetmaster2. You can try to generate a new server certificate for puppetmaster2, signed by puppetmaster1 CA. You can also change your puppetmaster1 certificate so that it contains puppetmaster2 name in its subjectAltName extension (this is controlled by the certdnsname option), in which case the same certificate can be used on both masters. To generate a new certificate it's as easy as (running on your puppetmaster1): puppetca --certdnsname "puppetmaster2.domain.com" --generate puppetmaster1.domain.com You'll find the certificate in $ssldir/ca/signed and the pkey in $ssldir/private_keys. It's working fine on 0.25 (I just tested it), I don't know if generate is supported on 0.24.6, though. You can also do the same with several openssl commands, puppetca --generate is simply easier. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
