On Tue, Jan 18, 2011 at 10:41 AM, Robert Scheer <[email protected]> wrote:
> Hi, suppose puppet-old.domain is a CNAME pointing to puppet-new.domain,
> and puppet-new.domain is running Apache (for SSL) with mod_proxy_balancer
> to balance over some 10 puppetmaster processes. The configured
> SSLCertificateFile in Apache is that of puppet-new.domain
>
> How do I get a node to stop complaining when connecting to
> puppet-old.domain (ending up at puppet-new.domain through the CNAME)?
>
> node# puppetd --test --server=puppet-old.domain
> err: Could not retrieve catalog from remote server: hostname was not match
> with the server certificate
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
I recommend issuing a new certificate for the Apache SSL server which
contains both puppet-old.domain and puppet-new.domain in the x.509
alternate names field.
> I tried fiddling with certdnsnames on both the server side and the client
> side, but without effect.
Certdnsnames is one way to do this. In Puppet 2.6 you can use the
puppet cert command to easily create these certificates.
On the Puppet CA: (My configuration directory is for testing, you'll
need to adjust this setting)
puppet cert --confdir ~/.puppet/conf_test --certdnsnames
puppet-old.domain:puppet-new.domain:puppet-old:puppet-new --generate
puppet-new.domain
puppet cert --confdir ~/.puppet/conf_test --print puppet-new.domain
Subject: CN=puppet-new.domain
...
X509v3 Subject Alternative Name:
DNS:puppet-old.domain, DNS:puppet-new.domain,
DNS:puppet-old, DNS:puppet-new, DNS:puppet-new.domain
...
Please keep in mind this only issues a new SSL Server certificate, it
uses the existing certificate authority so your Puppet agent systems
will automatically trust this new certificate.
Hope this helps,
--
Jeff McCune
http://www.puppetlabs.com/
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
