Setting up puppetmaster: hostname was not match with the server certificate
Which hostname(s) did the puppetmaster generate its certificate for? The puppet client expects the certificate to be valid for "puppetmaster", but it doesn't seem to be issued for this hostname. I think "puppet" might be the default CN on the puppetmaster, or else the hostname of the server. You can check it by running "openssl x509 -text -in cert.pem" on the certificate of the server, or connect to https://yourpuppetmaster:8140/
with a browser, and see which domains are in the CN and dns_alt_names of the certificate.
EDIT
You have a certificate only for "master", but your client connects to "puppetmaster". So either the client needs to expect "master", or you need a certificate for "puppetmaster" on your master. A "certname=puppetmaster" in the [master] block in puppet.conf will change the CN on the server (http://docs.puppetlabs.com/references/stable/configuration.html#certname). You may need to remove the old certificates, but I am not sure about this. Or, you can have the client connect to "master", either by adding it to /etc/hosts, or to your DNS zone if you're running one.
CppLearner
Updated on September 18, 2022Comments
-
CppLearner almost 2 years
I am new to setting up Puppet and Puppetmaster... We have puppets setup previously, and new new puppetmaster...
3rd edit
After deleting the ssl files on both master(ghive-ldap) and client (giab10)
The hostname for master is
ghive-ldap
and in client's hostname I have that.On master:
puppet cert clean ghive-ldap puppet cert generate --dns_alt_names ghive-ldap ghive-ldap sudo puppetca --sign giab10 err: Could not call sign: Could not find certificate request for giab10
so then on the client:
sudo puppet cert --generate giab10 notice: giab10 has a waiting certificate request notice: Signed certificate request for giab10 notice: Removing file Puppet::SSL::CertificateRequest giab10 at '/var/lib/puppet/ssl/ca/requests/giab10.pem' notice: Removing file Puppet::SSL::CertificateRequest giab10 at '/var/lib/puppet/ssl/certificate_requests/giab10.pem' giabadmin@giab10:~$ sudo puppet cert --list --all + giab10 (0F:CB:............)
I ran this on the client
sudo puppetd --test --debug ..... err: Could not retrieve catalog from remote server: getaddrinfo: Name or service not know
Fine... let me try this on the client
sudo puppet agent --server ghive-ldap --waitforcert 60 --test --verbose err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run
Garrrrr..... I deleted the ssl files and still no luck!! Something must have gone wrong...
How do I start from the beginning? I didn't much help from the documentation...Sorry for being a noob.. Thanks
PS: Also, how do you make sure the two servers have time in sync?
-
CppLearner about 12 yearsThanks,. I've updated my post above. Do they seem to do something weird?
-
arjarj about 12 yearsYou're connecting to "puppetmaster", but the puppetmaster only has a certificate it can use for "master".
-
CppLearner about 12 yearsThanks. Question... if the hostname for the master is not
puppetmaster
, should I just go back to/etc/hosts
and put the actual hostname there? Will that make more sense? THanks -
arjarj about 12 yearsIt's a matter of preference I guess. I am usually hesitant to mess with the certificate stuff, so I'd just stick the hostname in /etc/hosts or DNS and be done with it. If you plan on growing to a lot more hosts and want to use the hostname you picked, I'd investigate the certname or dns_alt_names options.
-
CppLearner about 12 yearsThanks. Just a quick question... sorry for being a noob. I would like start the whole certificate over. Where should I begin starting over? I deleted
/var/lib/puppets/ssl/
and/etc/puppets/ssl
on both master and clinet... assuming that putting the actual hostname in/etc/hosts
will make things smoother -
arjarj about 12 yearsClearing /var/lib/puppet/ssl should be sufficient yes. I don't think changing /etc/hosts on the master will be helpful. Changing /etc/hosts would be on the client, to match the hostname you connect to with the certificate of the server. You can change the hostname of the server (often /etc/hostname, after you change it reboot or use the hostname command), or change the name puppet creates the certificate for with the certname option: docs.puppetlabs.com/references/2.7.9/…
-
CppLearner about 12 yearsThanks... I edited my post. I would like to ask for guidance on starting over from the beginning.... it seems like I am creating a big mess here. If you can help it would be really great. Thanks in advance.
-
arjarj about 12 yearsDid you check your error on projects.puppetlabs.com/projects/1/wiki/… ? Also, you can sync the time with ntp, just point both servers to a valid ntp server, most likely your distro will come preconfigured with some.