Nan, The puppet master is running on a machine called admin. We have a cname that resolves puppet.bar.com to admin.baz.bar.com. I've checked the certificate and it shows the following:
Subject: CN=admin.baz.bar.com X509v3 Subject Alternative Name: DNS:puppet, DNS:admin.baz.bar.com, DNS:puppet.baz.bar.com I added the following line to /etc/puppet/puppet.conf and restarted the puppet master: certdnsname = puppet:puppet.bar.com:admin.baz.bar.com Restarting the puppet master with the certdnsname option set did not change the certificate in /var/lib/puppet/ssl/certs/admin.baz.bar.com at all. My understanding from the documentation is that the issue was with ca.pem. Is that not the case? Is there some trick to get puppet to regenerate the certs properly? From what I've been able to find, this seems to be at least partially related to Bug #4226. Please let me know what I can do to get puppet to work with passenger as we're rapidly approaching the point where we'd like to roll this out, but WEBbrick isn't going to satisfy our needs. On Tue, Sep 14, 2010 at 2:02 PM, Nan Liu <[email protected]> wrote: > On Tue, Sep 14, 2010 at 9:35 AM, M C <[email protected]> wrote: > >> I'm trying to use puppet with passenger as well. I'm running puppet 2.6.1 >> and I'm running into the issue mentioned under the troubleshooting section >> of http://projects.reductivelabs.com/projects/puppet/wiki/Using_Passenger. >> The instructions there are very vague. I've tried adding the ca_name >> setting to puppet.conf on the puppet master, but it doesn't seem to have any >> effect. I took a look at >> http://docs.puppetlabs.com/references/stable/configuration.html and there >> does not appear to be a ca_name option. On the other hand, there is a >> certname option. When I set this option to something like " >> ca-foo.bar.com" and restart the puppet master, I do see a new certificate >> generated, however, I get errors on the client side stating that the cert is >> incorrect "Could not retrieve catalog from remote server: hostname was not >> match with the server certificate". Any suggestions? >> > > What's the output of puppetd --genconfig | grep "server =" ? By default > puppet agent connects to the puppet master named "puppet". > > Try setting certdnsname=puppet:puppet.bar.com (include the output of > server =... if it's not puppet). I'm guessing the client is is resolving > puppet master through a DNS cname, puppet.bar.com => ca-foo.bar.com. The > certificate X509v3 Subject Alternative Name should include all possible DNS > cname for the puppet master. > > You can examine the puppet master certificate using the command: > openssl x509 -text -in /var/lib/puppet/ssl/certs/${puppetmaster_fqdn}.pem > > certname configures the certificate CN= and in your case should display: > Subject: CN=ca-foo.bar.com > > certdnsname configures the following section: > X509v3 Subject Alternative Name: > DNS:puppet, DNS:puppet.bar.com > > Thanks, > > Nan > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<puppet-users%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
