Ask Your Question

Nightmares after renaming puppet master

asked 2014-12-05 10:06:06 -0600

keefbaker gravatar image

Hi guys...

I appear to have opened up a portal to a circle of hell here. Basically my puppet master had the wrong fqdn so I changed the server name, changed puppet.conf, puppetdb.conf, etc... Then removed the old certs and regenerated them. Cleaned certs, got new node request sorted... fine...

But now when I do a puppetrun i get

Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 400 on SERVER: Error 401 while communicating with on port 443:

<!doctype html>
<html lang="en">

    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">

    <title>Puppet Enterprise Console</title>
    <meta name="description" content="">
    <meta name="author" content="">

    <link rel="stylesheet" href="/auth/css/bootstrap.min.css">
    <link rel="stylesheet" href="/auth/css/style.css">
    <link rel="stylesheet" href="/auth/css/login.css">
    <link rel="shortcut icon" href="/favicon.ico">

    <!--jQuery -->
    <script src="/auth/js/jquery.min.js"></script>
    <script src="/auth/js/jquery.validate.min.js"></script>

    <div id="main_wrapper">
      <div id="main" role="main">

        <div id="activate_container" class="modal">
          <div class="modal-header header">
            <a href="/">
              <h1>Puppet Enterprise Console</h1>
            <div class="clear"></div>

          <div class="modal-footer">

            <div id="failure" class="error">
              <span class="activation_msg">There is a failure</span>


            <div class="unauthorized">
              <span class='activation_msg'>You are not authorized to access this page</span>

          </div> <!--end modal-footer-->
        </div> <!--! end of container -->
    </div> <!--end main_wrapper-->

Followed by an error which suggests it's still using the old names on the cert...

 Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for to PuppetDB at Server hostname '' did not match server certificate; expected one of, DNS:puppet,
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Yet if I do :

 puppet master --configprint certname

I get:

Obviously names are agnostified but newname and oldname are self explanatory.

Any idea where I can take this?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2014-12-05 12:23:21 -0600

joshc gravatar image

updated 2014-12-05 12:25:24 -0600

The agent rejects the SSL connection, because the server is presenting a certificate identifying itself as , but the agent tried connecting to . This is the same as when your browser makes an HTTPS connection to a website, and warns you that there might be a MITM.

You need to regenerate the puppetmaster's certificate. It would be a good idea to include dns_alt_names for both or , so that agents can use either to connect.

Alternatively, you could modify /etc/hosts on the agents to alias to the new IP address, but that has drawbacks as well.

edit flag offensive delete link more


I've tried regenerating the certs (I think) by following this: But to no avail. Is there something else I need to do?

keefbaker gravatar imagekeefbaker ( 2014-12-08 03:05:44 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-12-05 10:06:06 -0600

Seen: 908 times

Last updated: Dec 05 '14