fqdn vs short name
CraftyTech
Question: Does anyone uses puppet with "shortnames" for hostname
on the client nodes as opposed to fqdn? I noticed that the ssl cert
needs to be a fqdn in order to work. Would having shortname for
hostname, and using fqdn just as an alias in DNS, work? If anyone
uses a setup like this, please let me know, and share your config. :)
For now, this is what I've come up with: I use fqdn for hostname
just to sign the cert, then I revert back to the shortname version.
So far, it's ok, but it's a bit cumbersome and I'd to see how other
ppl deal with this.
Cheers,
Nigel Kersten
You know you can set the 'certname' parameter independently of the
hostname? and then you won't need to jump through these hoops.
>
> Cheers,
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
>
--
Nigel Kersten - Puppet Labs - http://www.puppetlabs.com
CraftyTech
Cheers,
On Nov 2, 10:43 am, Nigel Kersten <ni...@puppetlabs.com> wrote:
> > Hello All,
>
> > Question: Does anyone uses puppet with "shortnames" for hostname
> > on the client nodes as opposed to fqdn? I noticed that the ssl cert
> > needs to be a fqdn in order to work. Would having shortname for
> > hostname, and using fqdn just as an alias in DNS, work? If anyone
> > uses a setup like this, please let me know, and share your config. :)
>
> > For now, this is what I've come up with: I use fqdn for hostname
> > just to sign the cert, then I revert back to the shortname version.
> > So far, it's ok, but it's a bit cumbersome and I'd to see how other
> > ppl deal with this.
>
> You know you can set the 'certname' parameter independently of the
> hostname? and then you won't need to jump through these hoops.
>
>
>
> > Cheers,
>
> > --
> > You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> > To post to this group, send email to puppet...@googlegroups.com.
> > To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
Rob McBroom
> Question: Does anyone uses puppet with "shortnames" for hostname
> on the client nodes as opposed to fqdn? I noticed that the ssl cert
> needs to be a fqdn in order to work. Would having shortname for
> hostname, and using fqdn just as an alias in DNS, work?
All of our (RHEL5) systems have their hostname set to their hostname (crazy!), but the Puppet client always generates certs based on the FQDN anyway. I'm not sure how honestly, but I haven't done anything special. The client is an RPM straight from EPEL.
--
Rob McBroom
<http://www.skurfer.com/>
Jeff McCune
Unless configured to use something else, puppet uses the fqdn fact
when creating certificates, not the hostname fact.
If you really want to make this work, check out the --certdnsnames
option to puppetca, which allows you to add X.509 alternate names to a
certificate. Each alternate name could then be a name alias or CNAME
record.
You may want to do a bit of reading on SSL certificate verification
checks. Puppet follows this established process for verifying if a
SSL certificate is valid or not.
Hope this helps,
--
Jeff McCune
http://www.puppetlabs.com/