On Sat, Jul 30, 2011 at 8:03 PM, Douglas Garstang <doug.garst...@gmail.com>wrote:
> Well, this is frustrating. > > Let's say I have two puppet masters, where one is active, and the other is > a hot stand by. Obviously each is going to have a different FQDN. Everything > will work fine when the client talks to the server that signed it's > certificate. However, after a failover to the secondary master, it's all > going to fail because the FQDN of the master will not match. > > I've been searching around, reading the mailing list, and am surprised to > find very little information on this. The new "Pro Puppet" book skims over > this detail. You'd think they'd have some proof it before selling it. > > Anyway, someone suggested just using a DNS alias, but that doesn't seem to > work. If my master is called hpma01p1, and the ssl certs are created in the > default manner, when I create a DNS alias, and my client talks to hpma01p1 > by using 'puppet', it still fails: > > Could not request certificate: Retrieved certificate does not match private > key; please remove certificate from server and regenerate it with the > current key > > I know that there's a 'certname' option but it looks like it's only valid > in the [agent], not the master section. How do I do this? > > Doug. > > > Actually, correction.... I'm getting this on the client: debug: Using cached certificate for ca /usr/lib/ruby/1.8/openssl/ssl.rb:91:in `post_connection_check': hostname not match with the server certificate (OpenSSL::SSL::SSLError) from /usr/lib/ruby/1.8/net/http.rb:588:in `connect' from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start' from /usr/lib/ruby/1.8/net/http.rb:542:in `start' from /usr/lib/ruby/1.8/net/http.rb:1035:in `request' This post last message in this thread http://groups.google.com/group/puppet-users/browse_thread/thread/175183b711074480, says: "We have a single key/cert for the master named "puppet.arces.net" (or puppet-qa.arces.net for the QA one). I don't designate a cert name anywhere - I just have a cert generated for the puppetmasters that matches the hostname that the clients use to connect to the load balancer, not a cert name for the hosts themselves. " Seems to work for him for some reason! Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.