[Puppet Users] Hostname was not a match with the server certificate -- Arrgh!
2,180 views
Skip to first unread message
Gabriel - IP Guys
Apr 29, 2010, 7:27:14 AM4/29/10
to puppet...@googlegroups.com
On the client
Client #] puppetd --test --trace
http://pastebin.com/eft1Qmuv
Full output of the command is above, last three lines,
# err: Could not retrieve catalog from remote server: hostname was not match with the server certificate
# warning: Not using cache on failed catalog
# err: Could not retrieve catalog; skipping run
I have attempted to track down where this problem is coming from. DNS is setup correctly. No host names have been changed, so I am at a lost as to how such a mistake could be made. But then, I am just believing the text of the error message.
Puppet.domain.com puppetmaster.domain.com both point to the correct machine. The client can connect to the server with no problem, and also vice versa. The firewall is relaxed sufficiently on both client and server for puppet to communicate. Both systems are on the same network switch, all other networking services work pretty much perfectly.
Any assistance will be highly appreciated, I have numerous crates of virtual beer I will gladly send your way, and for the none drinkers, I have a delightful selection of virtual foods from around the world which I can send your way ☺
**** Next paragraph is the long dormant student in me happy at the chance to learn something so powerful, which great power comes great responsibility, (yeah, right, whatever, I just want to be able to bring up a MySQL cluster in 5 minutes, and watch my dev teams face! ****
I am prepared to LEARN puppet! Please teach me! I have even gone to you-tube to attempt to locate some video tutorials, but alas, no luck. (I was distracted by 45 minutes of people scaring the life out of other folks), This list, and IRC are my only hope to become a puppet master – I’ve even got that book pulling strings with puppet. I did notice a lot of advice in that book that isn’t really reflected in a number of examples on the net, (unless I’m too slow to recognize the patterns). Anyway, I will stop rambling now – I think puppet is the future, and I am desperate to learn and understand, so feel free to refer me to websites, blogs, forums, amazon, (book purchases!), and google, (in case I missed an obvious search!)
Now, back to my original issue! Oh, I am on IRC, irc.freenode.org lurkin in the #puppet room ☺
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Client #] puppetd --test --trace
http://pastebin.com/eft1Qmuv
Full output of the command is above, last three lines,
# err: Could not retrieve catalog from remote server: hostname was not match with the server certificate
# warning: Not using cache on failed catalog
# err: Could not retrieve catalog; skipping run
I have attempted to track down where this problem is coming from. DNS is setup correctly. No host names have been changed, so I am at a lost as to how such a mistake could be made. But then, I am just believing the text of the error message.
Puppet.domain.com puppetmaster.domain.com both point to the correct machine. The client can connect to the server with no problem, and also vice versa. The firewall is relaxed sufficiently on both client and server for puppet to communicate. Both systems are on the same network switch, all other networking services work pretty much perfectly.
Any assistance will be highly appreciated, I have numerous crates of virtual beer I will gladly send your way, and for the none drinkers, I have a delightful selection of virtual foods from around the world which I can send your way ☺
**** Next paragraph is the long dormant student in me happy at the chance to learn something so powerful, which great power comes great responsibility, (yeah, right, whatever, I just want to be able to bring up a MySQL cluster in 5 minutes, and watch my dev teams face! ****
I am prepared to LEARN puppet! Please teach me! I have even gone to you-tube to attempt to locate some video tutorials, but alas, no luck. (I was distracted by 45 minutes of people scaring the life out of other folks), This list, and IRC are my only hope to become a puppet master – I’ve even got that book pulling strings with puppet. I did notice a lot of advice in that book that isn’t really reflected in a number of examples on the net, (unless I’m too slow to recognize the patterns). Anyway, I will stop rambling now – I think puppet is the future, and I am desperate to learn and understand, so feel free to refer me to websites, blogs, forums, amazon, (book purchases!), and google, (in case I missed an obvious search!)
Now, back to my original issue! Oh, I am on IRC, irc.freenode.org lurkin in the #puppet room ☺
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Peter Meier
Apr 29, 2010, 9:16:08 AM4/29/10
to puppet...@googlegroups.com
> Puppet.domain.com puppetmaster.domain.com both point to the correct
> machine. The client can connect to the server with no problem, and
> also vice versa. The firewall is relaxed sufficiently on both client
> and server for puppet to communicate. Both systems are on the same
> network switch, all other networking services work pretty much
> perfectly.
do they have both the time synced correctly? This problem is also
> machine. The client can connect to the server with no problem, and
> also vice versa. The firewall is relaxed sufficiently on both client
> and server for puppet to communicate. Both systems are on the same
> network switch, all other networking services work pretty much
> perfectly.
often burried in this error message
cheers pete
Gabriel - IP Guys
Apr 29, 2010, 9:20:11 AM4/29/10
to puppet...@googlegroups.com
-----Original Message-----
From: puppet...@googlegroups.com
[mailto:puppet...@googlegroups.com] On Behalf Of Peter Meier
Sent: Thursday, April 29, 2010 2:16 PM
To: puppet...@googlegroups.com
Subject: Re: [Puppet Users] Hostname was not a match with the server
certificate -- Arrgh!
> Puppet.domain.com puppetmaster.domain.com both point to the correct
> machine. The client can connect to the server with no problem, and
> also vice versa. The firewall is relaxed sufficiently on both client
> and server for puppet to communicate. Both systems are on the same
> network switch, all other networking services work pretty much
> perfectly.
do they have both the time synced correctly? This problem is also
often burried in this error message
cheers pete
--
drifted on the VM machine, (known issue for VM's), and I have put in
place my own script to fix that. The time is now in sync, but I believe
that it was not at the time of the initial configuration. Does this mean
that I have to rebuild, or can I recover from this?
Brice Figureau
Apr 29, 2010, 9:32:37 AM4/29/10
to puppet...@googlegroups.com
On Thu, 2010-04-29 at 12:27 +0100, Gabriel - IP Guys wrote:
> On the client
>
> Client #] puppetd --test --trace
>
> http://pastebin.com/eft1Qmuv
>
> Full output of the command is above, last three lines,
>
> # err: Could not retrieve catalog from remote server: hostname was not
> match with the server certificate
> # warning: Not using cache on failed catalog
> # err: Could not retrieve catalog; skipping run
>
> [snip]
> On the client
>
> Client #] puppetd --test --trace
>
> http://pastebin.com/eft1Qmuv
>
> Full output of the command is above, last three lines,
>
> # err: Could not retrieve catalog from remote server: hostname was not
> match with the server certificate
> # warning: Not using cache on failed catalog
> # err: Could not retrieve catalog; skipping run
>
When the client connects to the master, it checks the server certificate
in 3 ways:
* it should have been signed by the same CA
* it should be valid (ie not expired)
* the advertised server certificate CN should match the hostname used
to connect to the server (or any other subjectAltName).
When you launch puppetd, it connects to puppet.<search>, which usually
resolved to puppet.domain.com. If your server certificate doesn't
contain a CN and/or subjectAltName of puppet.domain.com, then this error
is thrown.
The mismatch can happen when your puppet master is in a different domain
than the client. When the master generates its server certificate it
uses:
* it's fqdn as CN
* puppet.$domain in subjectAltName, where $domain is what the current
machine has
if $domain on the master is different on the master and the client, the
mismatch will happen. This is always true if your master is multi-homed
and can be accessed from several networks using different domains.
In this case you need to generate the server certificate with the puppet
master name in every domains with --certdnsname.
What's your nickname?
--
Brice Figureau
Follow the latest Puppet Community evolutions on www.planetpuppet.org!
Alan McKay
Apr 29, 2010, 11:15:06 AM4/29/10
to puppet...@googlegroups.com
What version are you using?
I just had the same issue with a 0.23 version and when I upgraded to
0.25 it went away
--
“Don't eat anything you've ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
I just had the same issue with a 0.23 version and when I upgraded to
0.25 it went away
--
“Don't eat anything you've ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
Reply all
Reply to author
Forward
0 new messages