Pivotal Knowledge Base

Follow

Puppet sync failed with "hostname does not match the server certificate"

Environment

  • PHD 1.1.1 

Symptom 

Log file "/tmp/GPHDNodeInstaller_1391603635.log" shows the following puppet sync error on cluster node

merr: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: hostname does not match the server certificate^[[0m
merr: /File[/var/lib/puppet/lib]: Could not evaluate: hostname does not match the server certificate Could not retrieve file metadata for puppet://mdw.gphd.local/plugins: hostname does not match the server certificate^[[0m

Cause

PCC admins hostname was changed after installing PCC.  For example in this case PCC was installed on host "madw".  After installation we changed the hostname to "mdw".

The PCC installer will generate a SSL certificate authority for the puppet master service and the current hostname will be used to generate the certificate authority.  The hostname reference will be persisted in the following configuration files

/etc/puppet/puppet.conf

    certname = madw

 /etc/httpd/conf.d/puppet-httpd.conf

      SSLCertificateFile /var/lib/puppet/ssl-icm/certs/madw.pem
      SSLCertificateKeyFile /var/lib/puppet/ssl-icm/private_keys/madw.pem
      SSLCertificateChainFile /var/lib/puppet/ssl-icm/ca/ca_crt.pem
      SSLCACertificateFile /var/lib/puppet/ssl-icm/ca/ca_crt.pem
      SSLCARevocationFile /var/lib/puppet/ssl-icm/ca/ca_crl.pem

 When ever puppet signs a puppet agents certitificate request it will use the old "madw" hostname instead of the new hostname "mdw".  The puppet agent will then try to verifiy hostname "mdw" as the certificate authority and will fail because the certificate is signed with "madw" hostname.

[root@hdw1 certs]# openssl x509  -in /var/lib/puppet/ssl-icm/certs/ca.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Puppet CA: madw
        Validity
            Not Before: Feb  4 11:17:26 2014 GMT
            Not After : Feb  4 11:17:26 2019 GMT
        Subject: CN=Puppet CA: madw
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:

 

Fix

Execute this procedure from PCC admin node

  1. Stop commander service
    • service commander stop
  2. Change the follow params in each file with the new hostname
    • /etc/puppet/puppet.conf:
      certname = mdw
      /etc/httpd/conf.d/puppet-httpd.conf:
      SSLCertificateFile /var/lib/puppet/ssl-icm/certs/mdw.pem
      SSLCertificateKeyFile /var/lib/puppet/ssl-icm/private_keys/mdw.pem
  3. Remove ssl-icm directory from PCC admin node
    • rm -rf /var/lib/puppet/ssl-icm
  4. Start puppet master service
    • service puppetmaster start
  5. Stop puppet master service
    • service puppetmaster stop
  6. Start commader service
    • service commader start

 

 

 

 

Comments

Powered by Zendesk