Ask Your Question
0

Nightmares after renaming puppet master

asked 2014-12-05 10:06:06 -0500

keefbaker gravatar image

Hi guys...

I appear to have opened up a portal to a circle of hell here. Basically my puppet master had the wrong fqdn so I changed the server name, changed puppet.conf, puppetdb.conf, etc... Then removed the old certs and regenerated them. Cleaned certs, got new node request sorted... fine...

But now when I do a puppetrun i get

Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 400 on SERVER: Error 401 while communicating with puppet.newname.net on port 443:

<!doctype html>
<!-- THIS CANNOT USE PARTIALS SINCE RACK ERB DOES NOT SUPPORT THEM -->
<html lang="en">

  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

    <title>Puppet Enterprise Console</title>
    <meta name="description" content="">
    <meta name="author" content="">

    <link rel="stylesheet" href="/auth/css/bootstrap.min.css">
    <link rel="stylesheet" href="/auth/css/style.css">
    <link rel="stylesheet" href="/auth/css/login.css">
    <link rel="shortcut icon" href="/favicon.ico">

    <!--jQuery -->
    <script src="/auth/js/jquery.min.js"></script>
    <script src="/auth/js/jquery.validate.min.js"></script>

  </head>
  <body>
    <div id="main_wrapper">
      <div id="main" role="main">


        <div id="activate_container" class="modal">
          <div class="modal-header header">
            <a href="/">
              <h1>Puppet Enterprise Console</h1>
            </a>
            <div class="clear"></div>
          </div>


          <div class="modal-footer">

            <div id="failure" class="error">
              <span class="activation_msg">There is a failure</span>
            </div>

            <legend>Unauthorized</legend>

            <div class="unauthorized">
              <span class='activation_msg'>You are not authorized to access this page</span>
            </div>

          </div> <!--end modal-footer-->
        </div> <!--! end of container -->
      </div>
    </div> <!--end main_wrapper-->
  </body>
</html>

Followed by an error which suggests it's still using the old names on the cert...

 Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for puppet.newname.net to PuppetDB at puppet.newname.net:8081: Server hostname 'puppet-newname.net' did not match server certificate; expected one of puppet.oldname.et, DNS:puppet, DNS:puppet.oldname.net
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Yet if I do :

 puppet master --configprint certname

I get:

puppet.newname.net

Obviously names are agnostified but newname and oldname are self explanatory.

Any idea where I can take this?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2014-12-05 12:23:21 -0500

joshc gravatar image

updated 2014-12-05 12:25:24 -0500

The agent rejects the SSL connection, because the server is presenting a certificate identifying itself as puppet.oldname.net , but the agent tried connecting to puppet.newname.net . This is the same as when your browser makes an HTTPS connection to a website, and warns you that there might be a MITM.

You need to regenerate the puppetmaster's certificate. It would be a good idea to include dns_alt_names for both puppet.oldname.net or puppet.newname.net , so that agents can use either to connect.

Alternatively, you could modify /etc/hosts on the agents to alias puppet.oldname.net to the new IP address, but that has drawbacks as well.

edit flag offensive delete link more

Comments

I've tried regenerating the certs (I think) by following this: https://docs.puppetlabs.com/guides/troubleshooting.html#agents-are-failing-with-a-hostname-was-not-match-with-the-server-certificate-error-whats-wrong But to no avail. Is there something else I need to do?

keefbaker gravatar imagekeefbaker ( 2014-12-08 03:05:44 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-12-05 10:06:06 -0500

Seen: 645 times

Last updated: Dec 05 '14