Reputation: 1195
EC2 Ubuntu 11.10 Puppet Hostname name mistmatch error
I'm trying to configure puppetmaster and puppet clients using Ubuntu 11.10 EC2 Instances (ami-a562a9cc). I have enabled automatic certificate signing. But whenever I issue command from puppet client :
#puppet agent --server puppet --waitforcert 60 --test
Certificates get signed but it throws an error and does not run catalog file.
Error Message :
err: Could not retrieve catalog from remote server: hostname was not match with the server certificate warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: hostname was not match with the server certificate
Applying Manifest file on PuppetMaster works out fine but doesn't work on puppetclients.
I have already setup puppet environment on Amazon Linux & Centos and it worked out fine on them. But I'm facing these issues for Ubuntu 11.10
Thanks Sanket Dangi
Upvotes: 0
Views: 1972
Answers (1)
Reputation: 371
Puppet uses standard x.509 SSL certificates to communicate. These are the same certificates used in HTTPS so you can think of them using the same mental model.
This problem is almost always caused by the situation where the puppet agent is using a name not listed in the subject or x.509 alt names field of the puppet master's certificate.
To resolve this problem please ask yourself, "Is the name the agent is using to contact the master listed in the master's certificate?"
To answer this question you should determine the name being used by the agent to contact the master. In your example since you've specified the --server puppet option, puppet is the name being used. If you're working with a Puppet deployment you yourself didn't setup, you can find the configured name using the command puppet agent --configprint server which should print back something like this:
% puppet agent --configprint server
puppetmaster.acme.com
Now that we know the agent is using the name "puppetmaster.acme.com" to contact the master, the next question is "Is puppetmaster.acme.com" in the SSL certificate of the master.
To answer this question, go to the Puppet Master and examine the x.509 SSL certificate being nused. This can be done with the following command. This command uses the --configprint option to find out the certificate name being used by the Puppet Master. This is usually just the hostname. The puppet cert print command prints out a certificate in human readable form and is just like the openssl x509 -text -noout -in ... command you may already be familiar with.
root@pe-centos6:~# puppet cert print $(puppet master --configprint certname)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA generated on pe-centos6.puppetlabs.vm at Tue Jan 3 14:54:26 PST 2012
Validity
Not Before: Jan 2 22:55:16 2012 GMT
Not After : Jan 1 22:55:16 2017 GMT
Subject: CN=pe-centos6.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d2:51:86:31:b0:d8:da:80:1c:b9:e3:74:6b:c0:
2a:3c:b2:1a:dd:2b:1e:14:1d:53:b3:de:06:78:a7:
c2:bb:ad:bc:7e:91:60:01:d5:83:a7:14:c5:55:ea:
09:05:4e:c8:6e:83:93:a2:fb:e6:59:11:c1:05:88:
08:53:85:4f:6b:ef:a4:d6:14:6c:d8:56:e9:7c:79:
30:97:3a:fc:71:26:20:c7:15:5c:1b:d7:9d:e9:35:
08:a8:e2:5d:6c:a3:0d:0b:0e:90:dd:51:15:14:d6:
3f:6e:ab:2d:c8:0d:7f:4a:69:a7:7e:17:a2:d5:59:
be:c4:ba:a8:f7:54:db:b5:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:pe-centos6.localdomain, DNS:puppet
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
88:C4:17:D1:16:FA:0E:F0:E9:AC:00:FC:02:E0:81:53:53:8F:F4:71
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
a2:dc:18:b4:7d:56:4a:5b:22:fc:72:7e:37:a9:cd:05:5b:39:
63:92:75:0b:1f:05:f7:60:2d:85:ea:79:b5:55:ba:b4:e4:6f:
10:00:3b:e2:f0:e2:89:ac:82:5f:2e:c5:45:20:33:75:35:a6:
51:3d:fd:a1:7f:38:6f:9c:71:6f:5f:a4:8d:7d:a7:cc:4e:ed:
f2:46:9c:a4:b1:4f:83:19:e1:57:83:07:ac:54:ce:84:af:48:
7f:ca:52:f2:2b:0f:b1:5a:02:aa:4f:7e:f1:e2:12:77:d2:2f:
6a:b5:92:61:69:1e:c6:10:3e:8e:c3:b9:0d:a7:2a:8b:ff:17:
bc:81
Focus on the two fields named Subject: and X509v3 Subject Alternative Name: If the name found in the first step (puppetmaster.acme.com) is not listed in either of these two fields, then you're sure to receive the hostname was not match with the server certificate warning you've received.
To resolve the problem, simply use puppet agent --server <hostname> where <hostname> is something listed in the certificate being used by the master.
You shouldn't need to re-issue certificates to solve this problem.
Hope this helps.
Upvotes: 6
Related Questions
- Certificate Verify Failed [unable to get local issuer certificate for CN=puppetmaster.example.com]
- Puppet: Server hostname did not match server certificate
- Puppet Server hostname 'puppetmaster' did not match server certificate
- Puppet:Server hostname 'puppetmaster' did not match server certificate; expected one of puppetmaster.us-east-2.compute.internal, DNS:puppet,
- Puppet : Did not receive certificate
- puppet enterprise ssl cert error
- Error: Could not find CSR for: domain when using puppet cert sign
- How to set hostname in EC2 instance with puppet based bootstrapping
- puppet ssl failed with message "unknown ca"
- How do I make Puppet serve the proper certificate?