DNS alt name

DNS alt names are very convenient in larger Puppet infrastructures. They allow us to effectively nickname our servers individually, or as a group. A common DNS alt name might be puppet, so that you can use a load balancer to serve all of your individual Puppetservers. 

In the following example, we're trying to connect to our Puppetserver using the name alt-name.puppet.net, which was never baked in to the certificate on the original signing of our Puppet server:

[root@wordpress puppet]# puppet agent -t --server=alt-name.puppet.net
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=pe-puppet-master]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=pe-puppet-master]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=pe-puppet-master]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=pe-puppet-master]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=pe-puppet-master]
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=pe-puppet-master]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=pe-puppet-master]

There are two possible fixes for this: either set your agent to call the master by a known DNS name, or rebuild the certificate on your Puppetserver with the new DNS alt name. This can be done by removing the SSL cert with find /etc/puppetlabs/puppet/ssl -name <fqdn>.pem -delete on the offending master, and running puppet agent -t --dns-alt-names=<name1>,<name2>,<etc> on the master, connecting to the master of masters, and building a new certificate. This certificate has to be signed via the command line on the CA (usually the Master of Masters), and cannot be signed in the PE console, due to the DNS alt names.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.219.71.21