Home/ Questions/Q 7044151
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T02:22:31+00:00

I’m trying to configure puppetmaster and puppet clients using Ubuntu 11.10 EC2 Instances (ami-a562a9cc).

  • 0

I’m trying to configure puppetmaster and puppet clients using Ubuntu 11.10 EC2 Instances (ami-a562a9cc). I have enabled automatic certificate signing. But whenever I issue command from puppet client :

#puppet agent –server puppet –waitforcert 60 –test

Certificates get signed but it throws an error and does not run catalog file.

Error Message :

err: Could not retrieve catalog from remote server: hostname was not match with the server certificate
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: hostname was not match with the server certificate

Applying Manifest file on PuppetMaster works out fine but doesn’t work on puppetclients.

I have already setup puppet environment on Amazon Linux & Centos and it worked out fine on them. But I’m facing these issues for Ubuntu 11.10

Thanks
Sanket Dangi

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Puppet uses standard x.509 SSL certificates to communicate. These are the same certificates used in HTTPS so you can think of them using the same mental model.

    This problem is almost always caused by the situation where the puppet agent is using a name not listed in the subject or x.509 alt names field of the puppet master’s certificate.

    To resolve this problem please ask yourself, “Is the name the agent is using to contact the master listed in the master’s certificate?”

    To answer this question you should determine the name being used by the agent to contact the master. In your example since you’ve specified the --server puppet option, puppet is the name being used. If you’re working with a Puppet deployment you yourself didn’t setup, you can find the configured name using the command puppet agent --configprint server which should print back something like this:

    % puppet agent --configprint server
puppetmaster.acme.com

    Now that we know the agent is using the name “puppetmaster.acme.com” to contact the master, the next question is “Is puppetmaster.acme.com” in the SSL certificate of the master.

    To answer this question, go to the Puppet Master and examine the x.509 SSL certificate being nused. This can be done with the following command. This command uses the --configprint option to find out the certificate name being used by the Puppet Master. This is usually just the hostname. The puppet cert print command prints out a certificate in human readable form and is just like the openssl x509 -text -noout -in ... command you may already be familiar with.

    root@pe-centos6:~# puppet cert print $(puppet master --configprint certname)
Certificate:
Data:
    Version: 3 (0x2)
    Serial Number: 2 (0x2)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: CN=Puppet CA generated on pe-centos6.puppetlabs.vm at Tue Jan  3 14:54:26 PST 2012
    Validity
        Not Before: Jan  2 22:55:16 2012 GMT
        Not After : Jan  1 22:55:16 2017 GMT
    Subject: CN=pe-centos6.localdomain
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (1024 bit)
            Modulus:
                00:d2:51:86:31:b0:d8:da:80:1c:b9:e3:74:6b:c0:
                2a:3c:b2:1a:dd:2b:1e:14:1d:53:b3:de:06:78:a7:
                c2:bb:ad:bc:7e:91:60:01:d5:83:a7:14:c5:55:ea:
                09:05:4e:c8:6e:83:93:a2:fb:e6:59:11:c1:05:88:
                08:53:85:4f:6b:ef:a4:d6:14:6c:d8:56:e9:7c:79:
                30:97:3a:fc:71:26:20:c7:15:5c:1b:d7:9d:e9:35:
                08:a8:e2:5d:6c:a3:0d:0b:0e:90:dd:51:15:14:d6:
                3f:6e:ab:2d:c8:0d:7f:4a:69:a7:7e:17:a2:d5:59:
                be:c4:ba:a8:f7:54:db:b5:5f
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Subject Alternative Name: 
            DNS:pe-centos6.localdomain, DNS:puppet
        X509v3 Basic Constraints: critical
            CA:FALSE
        Netscape Comment: 
            Puppet Ruby/OpenSSL Internal Certificate
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Subject Key Identifier: 
            88:C4:17:D1:16:FA:0E:F0:E9:AC:00:FC:02:E0:81:53:53:8F:F4:71
        X509v3 Extended Key Usage: critical
            TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
    a2:dc:18:b4:7d:56:4a:5b:22:fc:72:7e:37:a9:cd:05:5b:39:
    63:92:75:0b:1f:05:f7:60:2d:85:ea:79:b5:55:ba:b4:e4:6f:
    10:00:3b:e2:f0:e2:89:ac:82:5f:2e:c5:45:20:33:75:35:a6:
    51:3d:fd:a1:7f:38:6f:9c:71:6f:5f:a4:8d:7d:a7:cc:4e:ed:
    f2:46:9c:a4:b1:4f:83:19:e1:57:83:07:ac:54:ce:84:af:48:
    7f:ca:52:f2:2b:0f:b1:5a:02:aa:4f:7e:f1:e2:12:77:d2:2f:
    6a:b5:92:61:69:1e:c6:10:3e:8e:c3:b9:0d:a7:2a:8b:ff:17:
    bc:81

    Focus on the two fields named Subject: and X509v3 Subject Alternative Name: If the name found in the first step (puppetmaster.acme.com) is not listed in either of these two fields, then you’re sure to receive the hostname was not match with the server certificate warning you’ve received.

    To resolve the problem, simply use puppet agent --server <hostname> where <hostname> is something listed in the certificate being used by the master.

    You shouldn’t need to re-issue certificates to solve this problem.

    Hope this helps.

    • 0