Puppet server hostname does not match certificate - can't authenticate. How to disable puppet authentication?
Your client's expecting the master to have the hostname puppet
, per its server
configuration in puppet.conf
- that's the default, so if you don't have a server
configured then it's using puppet
. The master's SSL certificate must be valid for that name, or the client will refuse to connect.
Normally, the master generates a certificate that's valid for its own hostname and the puppet
hostname, by using subject alternative names.. but having an explicit certname
in the master's puppet.conf
might be overriding this. Verify by checking puppet cert --list master-node-1
- it should have something like (alt names: "puppet")
displayed after the certificate's thumbprint.
Correct this by either having your client pointed to the real hostname using its server
config, or by having the server's cert valid for the hostname puppet
.
Spart
Updated on September 18, 2022Comments
-
Spart almost 2 years
I am having issues with getting the puppet agent to authenticate the master.
On the agent, I first did
sudo puppet agent --test
info: Creating a new SSL key for m-agent-2 info: Caching certificate for ca info: Creating a new SSL certificate request for m-agent-2 info: Certificate Request fingerprint (md5): 43:30:57:53:5B:20:F7:12:CD:94:59:17:12:28:68:A4
Then on the master I did
sudo puppet cert list
and got"m-agent-2" (43:30:57:53:5B:20:F7:12:CD:94:59:17:12:28:68:A4)
Then I did
sudo puppet cert sign m-agent-2
, which returnednotice: Signed certificate request for m-agent-2 notice: Removing file Puppet::SSL::CertificateRequest m-agent-2 at '/var/lib/puppet/ssl/ca/requests/m-agent-2.pem'
Then I did
sudo puppet agent --test
, which returnedinfo: Caching certificate for m-agent-2 err: Could not retrieve catalog from remote server: Server hostname 'puppet' did not match server certificate; expected master-node-1 warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: Server hostname 'puppet' did not match server certificate; expected master-node-1
The conf file contains the line in both
certname = master-node-1
in both[main]
and[master]
sections. I have regenerated the master's certificate by doingsudo find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete sudo puppet master --no-daemonize --verbose
Also, my /etc/hosts file contains the lines
10.20.32.10 learn.localdomain learn puppet.localdomain puppet
and I can ping both puppet and puppet.learn from the agent.However I still get the same issue. Is there some way to fix this. Or disable authentication in puppet all together. Both the master and the slave nodes are running Ubuntu 12.04 and I am running puppet 2.7.11. Any help is greatly appreciated.
-
Robert over 7 yearsor simply you're executing puppet without sudo or root...