puppet ca generate --dns-alt-names

[Jonathan Gazeley]

I'm trying to generate a CA certificate that will be used on multiple
puppet masters, accessed by round robin DNS.

The individual nodes have their own hostnames and the round robin name
is puppet.resnet.bris.ac.uk or puppet.resnet.bristol.ac.uk (the twin
domain name for Bristol university is historical, and a total pain).

However I'm having trouble with puppet ca as follows:

[jg4461@puppet1 ~]$ sudo puppet ca generate --dns_alt_names
puppet.resnet.bris.ac.uk
Error: puppet ca generate takes 1 argument, but you gave 0
Error: Try 'puppet help ca generate' for usage

[jg4461@puppet-1 ~]$ sudo puppet ca generate
--dns_alt_names=puppet.resnet.bris.ac.uk, puppet.resnet.bristol.ac.uk
Error: The certificate retrieved from the master does not match the
agent's private key.
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a
certficate.
On the master:
puppet cert clean puppet1.resnet.bris.ac.uk
On the agent:
rm -f /var/lib/puppet/ssl/certs/puppet1.resnet.bris.ac.uk.pem
puppet agent -t

[jg4461@puppet1 ~]$ puppet --version
3.0.1


Am I doing something wrong, or is something broken?

Thanks,
Jonathan

[Jeff McCune]

On Tue, Oct 23, 2012 at 2:24 AM, Jonathan Gazeley <jonathan...@bristol.ac.uk> wrote:

I'm trying to generate a CA certificate that will be used on multiple puppet masters, accessed by round robin DNS.

The individual nodes have their own hostnames and the round robin name is puppet.resnet.bris.ac.uk or puppet.resnet.bristol.ac.uk (the twin domain name for Bristol university is historical, and a total pain).

However I'm having trouble with puppet ca as follows:

[jg4461@puppet1 ~]$ sudo puppet ca generate --dns_alt_names puppet.resnet.bris.ac.uk
Error: puppet ca generate takes 1 argument, but you gave 0
Error: Try 'puppet help ca generate' for usage

This command adds "puppet.resnet.bris.ac.uk" to the x.509 alternate names field, but Puppet is still expecting the value of the common name.  If the common name is "foo.resnet.bris.ac.uk" then try the command: sudo puppet ca generate --dns_alt_names puppet.resnet.bris.ac.uk foo.resnet.bris.ac.uk.

 

[jg4461@puppet-1 ~]$ sudo puppet ca generate --dns_alt_names=puppet.resnet.bris.ac.uk, puppet.resnet.bristol.ac.uk

Did you mean to have a space between the comma and the next word here?

 

Error: The certificate retrieved from the master does not match the agent's private key.

This error happens when the CSR you're trying to sign already has a signed certificate.  In this scenario, Puppet does not sign the CSR and instead simply returns the already present certificate.

 

To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
  puppet cert clean puppet1.resnet.bris.ac.uk
On the agent:
  rm -f /var/lib/puppet/ssl/certs/puppet1.resnet.bris.ac.uk.pem
  puppet agent -t

[jg4461@puppet1 ~]$ puppet --version
3.0.1


Am I doing something wrong, or is something broken?

It doesn't seem like anything is broken beyond the normal difficulties with x.509 certificates.  It just seems like there's an already existing certificate named "puppet1.resnet.bris.ac.uk"

Hope this helps,

-Jeff