Puppet SSL issue with CommonName under Debian etch

by | Dec 19, 2007 | Tech | 0 comments

The change in the Ruby SSL library broke puppet in the case that you connect your clients via a different IP and FQDN then the internal hostname of the server running the puppetmaster (e.g. a backend network).

This article shows a quick summary what needs to be done and at the end some extra pointers you might look at, in case your still having problems. The puppet version this article refers to is (the apt-get) version 0.20.1.

Server side

Remove the ssl directory.

rm -rf /etc/puppet/ssl

(or mv if you like)

Then regenerate the certificates and keys.

puppetca --verbose --generate server1backend.something.com

Rename the pem files.

cd /etc/puppet/ssl

mv ./private_keys/server1backend.something.com.pem ./private_keys/server1.something.com.pem
mv ./certs/server1backend.something.com.pem ./certs/server1.something.com.pem
mv ./ca/signed/server1backend.something.com.pem ./ca/signed/server1.something.com.pem

Client side

Remove the ssl directory.

rm -rf /etc/puppet/ssl

Make the client request a certificate and test the connection to the server.

puppetd --server  server1backend.something.com --waitforcert 60 --test

Adjust your ‘server=’ entry for the client (in puppetd.conf) into the full name server1backend.something.com.

[puppetd]
# Make sure all log messages are sent to the right directory
# This directory must be writable by the puppet user
server=server1backend.something.com
logdir=/var/log/puppet
vardir=/var/lib/puppet
rundir=/var/run

Run the puppets (clients) with puppetd -v to see if the “no certificate” messages stays out so you know all is in order. After that start the daemons as usual via your init.d scripts.

Gotcha 1

Make sure you have no short aliases in /etc/hosts for the server because they might be used and still break de SSL connect. Only put in the full name like so:

192.168.200.7    server1backend.something.com

and not like so:

192.168.200.7    server1backend.something.com    server1backend

Gotcha 2

Make sure you adjust the server name to it’s FQDN notation in your manifests because that can also cause problems.

That’s all folks …

Gerard

Submit a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.