Okay, I got pulled away from this for a few days, but I just wanted to
follow up on it, since I have everything resolved now. Thanks for your
help everyone. I've been hanging out in the channel, and I'm still
developing the puppet configuration, so I'm sure you'll hear from me in
some way in the near future.
Because you don't want to re-setup the clients, or because you're
worried about breaking it? Actually, the certificate might already
have "puppet" and "puppet.bestgroup" as aliases.
Because I was wet behind the ears and didn't know better :)
The certificate only works for puppet.bestgroup, but once I got into
actually using puppet.conf, it was resolved without any problems. I
don't have control of the dns, and in fact, the only node that doesn't
have have a fqdn is the puppetmasterd (we're managing set of servers for
a client. In the end, there will be 6 or 7 all together, but our private
nodes will also be managed by puppet). For those of you who are new and
have a similar problem, here is the relevant line in my puppet.conf
[puppetd]
# The server to which server puppetd should connect
# The default value is 'puppet'.
# server = puppet
server = servercharlie.bestgroup
This is actually the only value that that I changed from the default.
On the other hand, I was assuming you control DNS for all the clients
in one or two central locations. If you aren't going to use DNS to
push the puppet server's ip, it's probably not worth the bother. It's
just nice to do that because that way you can point the clients are a
different location if you need to. Often in this situation, you can't
use puppet to do that, because puppet is broken.
My fault on the logs. You also need this directory in Ubuntu:
Permissions User Group Location
drwxr-x--- puppet puppet /var/log/puppet
I'm guessing that puppet puts the logs there by default, but it might
be a different location since we aren't using the same distro and package.
Actually in my case, this wasn't true. I did have masterhttp.log there,
but that was the only one. The other ones all logged to syslog. puppet
--genconfig indicates that /var/lib/puppet/log is the default location
for (I think) all of the other facilities, but like I said, I only have
one log file in that directory.
I imagine that it has something to do with log settings, which I haven't
really looked into any more because the syslog logging was sufficient
and I haven't run into any more problems.
If the server certificate has the wrong common name, you shouldn't
need to touch the clients. I think you could fix it by following
these steps. *I have not tested this. If you attempt it, make sure
you have a very good backup. I only think this *should* work.*
service puppetmaster stop
rm /var/lib/puppet/ssl/certs/{Server Name Here}.pem
rm /var/lib/puppet/ssl/private_keys/{Server Name Here}.pem
Change the common name to what ever you need.
service puppetmaster start
I removed the entire /etc/puppet/ssl directory after removing the above
mentioned .pem files yielded an error message. I should have kept the
message so that I can post it here for reference. Sorry. I just felt
bold enough, after having worked with this stuff a little longer, to:
1. Just throw the directories away,:
2.Restart puppetd on all nodes, restart puppetmasterd. This regenerates
all certificates of all associated parties. What a great feature,
certificates, and CAs and signing have always just been something for
which I've never thoroughly gotten an understanding.
3. On master re-run 'puppetca --sign name.of.nodes.certificate'
Regards,
Chris
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
