On Thursday, April 19, 2018 at 6:44:57 PM UTC-5, empb...@gmail.com wrote: > > Hello guys, > > At my place of work we have some computer labs. In these laboratories each > computer has the operating system windows and linux. Both systems are in > our AD domain. > > I did a lab of tests and I have a functional puppet server. I put some > nodes as root of the system. Everything working perfectly. > > When I log in with a domain user on linux machines and run the "puppet > agent -t" command, a new certificate is generated, but an error occurs > stating that it does not match the server's certificate. > > How can I get around this and make it always the same certificate? >
It sounds like your machines use the same hostname whether they are running Windows or Linux. This makes sense from a physical perspective, but not from a logical one -- one of your machines has very different characteristics when running Windows than it does when running Linux. In any case, the Puppet installations on Windows and Linux are separate and do not share data (by default), so each manages its own certificate. In that sense, they absolutely are distinct machines from Puppet's perspective. By default, however, Puppet uses machines' hostnames as their certificate names, so if you have two machines with the same hostname then their certificates will collide. It will also happen if you rebuild / re-image your machines without preserving their certificates, but reusing the same hostnames. You have several options for working around that, among them: - Give your machines different hostnames for Windows and Linux. The easiest way to do that might be to add "-linux" and / or "-windows" suffixes to the hostnames you are using now. Then each personality of each machine has a distinct name, and everything should just work. - Use the 'certname' setting in your machines' Puppet configuration ( [main] section) to assign a unique certname to each personality of each machine. Perhaps you could use a pattern similar to the one I suggested for unique hostnames. - You could also arrange for your machines to share their certificates between their two personalities, either by copying them or by putting them in a place that both personalities can access. I have several technical reasons to dislike this alternative, and I don't recommend it, but having understood the problem, you probably would have thought of it anyway. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4bdc7608-17ce-4c52-b0f9-dfce67d9c151%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
