The change in the Ruby SSL library broke puppet in the case that you connect your clients via a different IP and FQDN then the internal hostname of the server running the puppetmaster (e.g. a backend network).

This article shows a quick summary what needs to be done and at the end some extra pointers you might look at, in case your still having problems. The puppet version this article refers to is (the apt-get) version 0.20.1.

Server side

Remove the ssl directory.

rm -rf /etc/puppet/ssl

(or mv if you like)

Then regenerate the certificates and keys.

puppetca --verbose --generate

Rename the pem files.

cd /etc/puppet/ssl

mv ./private_keys/ ./private_keys/
mv ./certs/ ./certs/
mv ./ca/signed/ ./ca/signed/

Client side

Remove the ssl directory.

rm -rf /etc/puppet/ssl

Make the client request a certificate and test the connection to the server.

puppetd --server --waitforcert 60 --test

Adjust your ‘server=’ entry for the client (in puppetd.conf) into the full name

# Make sure all log messages are sent to the right directory
# This directory must be writable by the puppet user

Run the puppets (clients) with puppetd -v to see if the “no certificate” messages stays out so you know all is in order. After that start the daemons as usual via your init.d scripts.

Gotcha 1

Make sure you have no short aliases in /etc/hosts for the server because they might be used and still break de SSL connect. Only put in the full name like so:

and not like so:    server1backend

Gotcha 2

Make sure you adjust the server name to it’s FQDN notation in your manifests because that can also cause problems.

That’s all folks …