The change in the Ruby SSL library broke puppet in the case that you connect your clients via a different IP and FQDN then the internal hostname of the server running the puppetmaster (e.g. a backend network).

This article shows a quick summary what needs to be done and at the end some extra pointers you might look at, in case your still having problems. The puppet version this article refers to is (the apt-get) version 0.20.1.

Server side

Remove the ssl directory.

(or mv if you like)

Then regenerate the certificates and keys.

Rename the pem files.

Client side

Remove the ssl directory.

Make the client request a certificate and test the connection to the server.

Adjust your ‘server=’ entry for the client (in puppetd.conf) into the full name

Run the puppets (clients) with puppetd -v to see if the “no certificate” messages stays out so you know all is in order. After that start the daemons as usual via your init.d scripts.

Gotcha 1

Make sure you have no short aliases in /etc/hosts for the server because they might be used and still break de SSL connect. Only put in the full name like so:

and not like so:

Gotcha 2

Make sure you adjust the server name to it’s FQDN notation in your manifests because that can also cause problems.

That’s all folks …