Ask Your Question
1

Is PuppetDB dependant on using default certnames?

asked 2016-04-26 10:33:45 -0500

schowdhury gravatar image

I have a puppetmaster and a seperate puppetDB server. My pupetDB server also acts as my puppetDB's postgresql server.

By the way all my servers are actually AWS EC2 instances.

I used the main puppetdb puppet forge module to set up my puppetdb server.

When I then try to do puppet run on one of my agents, it fails, and when I check the puppet server logs, I found the following error message:

2016-04-26 13:12:47,338 ERROR [qtp396679072-65] [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
javax.net.ssl.SSLPeerUnverifiedException: Host name 'ip-10-0-101-39.eu-west-1.compute.internal' does not match the certificate subject provided by the peer (CN=puppetdb_preprod_i-075d0a8f)

Based on this message, I think it is failing because my puppetDB server's puppet.conf file contains a custom value for the certname:

$ cat /etc/puppetlabs/puppet/puppet.conf

[main]
dns_alt_names = ip-10-0-101-39.eu-west-1.compute.internal

[agent]
certname = puppetdb_preprod_i-075d0a8f
server = my_puppet_server.com

Note, I tried overcoming the problem by introducing the default certname value as 'dnsaltnames' as shown above, but that didn't work either.

I am using custom certname because it is more meaningful than the default which is "ip-10-0-101-39.eu-west-1.compute.internal".

Am I right in thinking that custom certname is causing this problem?

edit retag flag offensive close merge delete

Comments

1

It also helps greatly reduce the chance for a collision... if an IP address gets reused and you haven't removed the old cert from your master, your new instance wouldn't be able to get a cert if you autosign...

DarylW gravatar imageDarylW ( 2016-04-26 11:30:51 -0500 )edit
1

After modifying your dns_alt_names, you'd need to also regenerate your certificates, and having that picked up by puppetdb (usually puppetdb ssl-setup or something to that like). Changing the config is not enough. I think your direction is correct in theory though. Check out puppet cert generate ..

ken gravatar imageken ( 2016-04-26 13:05:33 -0500 )edit

@DarylW - That's right, that was one of my other reasons for taking this approach (which I forgot to mention in my original post). I am also already using autosigning as you have suggested.

schowdhury gravatar imageschowdhury ( 2016-04-26 17:05:11 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2016-04-27 04:32:21 -0500

schowdhury gravatar image

updated 2016-04-28 16:21:06 -0500

Ok I got it working by following the suggestion made by @ken. I had to do a few extra steps to get it working.

First off, on my puppetdb server, the puppet.conf stayed like this:

$ cat /etc/puppetlabs/puppet/puppet.conf

[main]
dns_alt_names = ip-10-0-101-39.eu-west-1.compute.internal

[agent]
certname = puppetdb_preprod_i-075d0a8f
server = my_puppet_server.com

On my puppetdb server, I deleted my ssl certificates:

$ puppet config print ssldir
/etc/puppetlabs/puppet/ssl
$ rm -rf /etc/puppetlabs/puppet/ssl

On the puppetmaster, I then deleted the puppetdb's certificates:

$ puppet cert clean puppetdb_preprod_i-075d0a8f

Next I did a puppet run on my puppetdb:

$ puppet agent -t
Info: Creating a new SSL key for puppetdb_preprod_i-075d0a8f
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetdb_preprod_i-075d0a8f
Info: Certificate Request fingerprint (SHA256): B5:2F:2A:B6:F0:92:09:6D:8C:F7:DE:89:F2:A5:07:51:DA:31:DA:27:E9:AA:85:1C:BF:66:EC:64:EA:D0:25:F3
Error: Could not request certificate: Error 400 on SERVER: CSR 'puppetdb_preprod_i-075d0a8f' contains subject alternative names (DNS:ip-10-0-101-39.eu-west-1.compute.internal, DNS:puppetdb_preprod_i-075d0a8f), which are disallowed. Use `puppet cert --allow-dns-alt-names sign puppetdb_preprod_i-075d0a8f` to sign this request.

Since I am using the dnsaltname setting, I had to follow the above suggestion and run the 'puppet cert ....' command on the puppetmaster. However might be able to suppress this error message happening in the first place by running the following on the puppetmaster beforehand:

$ puppet ca sign --allow-dns-alt-names

See: https://docs.puppet.com/puppet/latest/reference/man/ca.html

I then did a puppet run on the puppetdb server again and this time it worked.

I then ran the puppet ssl-setup command on the puppetdb server, and got the following warning messages:

$ puppetdb ssl-setup
PEM files in /etc/puppetlabs/puppetdb/ssl already exists, checking integrity.
Warning: /etc/puppetlabs/puppetdb/ssl/private.pem does not match the file used by Puppet (/etc/puppetlabs/puppet/ssl/private_keys/puppetdb_preprod_i-075d0a8f.pem)
Warning: /etc/puppetlabs/puppetdb/ssl/public.pem does not match the file used by Puppet (/etc/puppetlabs/puppet/ssl/certs/puppetdb_preprod_i-075d0a8f.pem)
Setting ssl-host in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-port in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-key in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-ca-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.

To get rid of the warning messages, I moved these files to my tmp folder (alternatively you could also just delete them):

$ mv /etc/puppetlabs/puppetdb/ssl/private.pem /tmp/private.pem
$ mv /etc/puppetlabs/puppetdb/ssl/public.pem /tmp/public.pem

Then I ran the ssl-setup command again on the puppetdb server:

$ puppetdb ssl-setup
PEM files in /etc/puppetlabs/puppetdb/ssl are missing, we will move them into place for you
Copying files: /etc/puppetlabs/puppet/ssl/certs/ca.pem ...
(more)
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2016-04-26 10:33:45 -0500

Seen: 272 times

Last updated: Apr 28 '16