puppetrun and certs - CA certdnsnames?
Jason Antman
I'm rolling out a new Puppet install and am having some problems with
certs. I've googled and read the docs but can't find anything.
Almost all boxes on the network are dual-homed, with a primary network
(VLAN, /27 subnet) for public data and an admin/management network for
backups and other backend stuff. All hosts have a primary interface on
the main network (and their "real" hostname resolves to that IP) and a
second interface on the admin network, with the DNS name for that IP
like "hostname"-mgmt.
I have puppet setup on a few clients and one puppetmaster (named puppet,
with a name of puppet-mgmt on the second network). All of the clients
(I've setup 4 so far) pull their configs from the master fine, either
running `puppetd --no-daemonize --verbose --listen
--server=puppet-mgmt.mydomain.com` or through the init script. Each host
has certname= specified in their puppet.conf [puppetd] section as the
FQDN, and also has certdnsnames= hostname-mgmt.mydomain.com defined
there. However, when I try (from the puppetmaster) to puppetrun
--host=hostname.mydomain.com, I get a HTTP-Error 500 from puppetrun and
in the client logs, I see:
notice: Denying unauthenticated client puppet.mydomain.com(192.168.0.10)
access to puppetrunner.run
The one thing that I've noticed is that in /var/lib/puppet/ssl on the
clients, there's no server cert, and the CA cert only has the main
network FQDN, not the "-mgmt" name.
Any ideas? Where should I be looking? And is there any way to get
*seriously* verbose debugging information? I even tried running puppetd
with "--trace", but I never get anything more than "notice: Denying
unauthenticated client"
Thanks,
Jason Antman
Scott Smith
> Any ideas? Where should I be looking? And is there any way to get
> *seriously* verbose debugging information? I even tried running puppetd
localtime differences?
-scott