Home / server / Questions / 320028
Accepted
c33s
Asked: 2011-10-10 18:51:13 +0800 CST

How to add multiple dns names to my puppetmaster?

  • 772

my puppet.conf on the master

[master]
certname = myname.mydomain.com
ca_server = myname.mydomain.com
certdnsnames = puppet;puppet.local;myname.dyndns.org;hivemind.local;

for my understanding with the certdnsnames defined the following should work:

puppet agent --server myname.dyndns.org --test

but i get the following error:

err: Could not retrieve catalog from remote server: hostname was not match with the server certificate

how to avoid this error? how to correctly define certdnsnames? i have found diffent documentation about this, but no simple example. i i use "," for seperation i cannot sign at all. i also have seen a syntax like

certdnsnames = puppet:puppet.intra.myserver.fr,puppet.myserver.fr:puppet,puppet:puppet,puppet.intra.myserver.fr,puppet.myserver.fr

http://projects.puppetlabs.com/issues/5776

but for me its not clear when to add a "puppet:" and when not.

domain-name-system puppet certificate

6 Answers

  1. Best Answer

    For the benefit of anyone else who stumbles upon this answer:

    Due to CVE-2011-3872, Puppet no longer supports the certdnsnames option. From the documentation:

    The certdnsnames setting is no longer functional, after CVE-2011-3872. We ignore the value completely. For your own certificate request you can set dns_alt_names in the configuration and it will apply locally. There is no configuration option to set DNS alt names, or any other subjectAltName value, for another nodes certificate. Alternately you can use the --dns_alt_names command line option to set the labels added while generating your own CSR.

    You can generate an SSL certificate for your server using subjectAlternativeName like this:

    $ puppet cert generate <puppet master's certname> --dns_alt_names=<comma-separated list of DNS names>
    • 27

  2. For Puppet 4+ use the following commands to change the accepted dns names for the puppetserver certificate:

    Rename existing certificates to *.backup:

    mv /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem{,.backup}
mv /etc/puppetlabs/puppet/ssl/ca/signed/$(hostname -f).pem{,.backup}
mv /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem{,.backup}

    generate new certificate (add your desired alt names):

    puppet cert generate $(hostname -f) --dns_alt_names=$(hostname -f),puppet

    restart puppetserver to use new certificates

    service puppetserver restart
    • 2
    • 1

  4. According to

    puppet agent --genconfig

    you must use a colon-separated (":" not ";") list.

    So it should be 

    certdnsnames = 'puppet:puppet.local:myname.dyndns.org:hivemind.local'

    HTH

    • 0

  5. To add a SAN entry to the puppet server cert use:

    systemctl stop puppetserver
puppetserver ca setup --subject-alt-names $(hostname -f),puppet
systemctl start puppetserver

    may need to clear out existing certs via rm -rf $(puppet master --configprint ssldir) as well

    • 0

  6. I'm not sure about whether Greg Bray's answer works - but this one is ripped straight from the current documentation:

    dns_alt_names — A list of hostnames the server is allowed to use when acting as a primary server. The hostname your agents use in their server setting must be included in either this setting or the primary server’s certname setting. Note that this setting is only used when initially generating the primary server’s certificate — if you need to change the DNS names, you must:

    Turn off the Puppet Server service (or your Rack server).

    Run: sudo puppetserver ca clean <SERVER'S CERTNAME>

    Run: sudo puppetserver ca generate <SERVER'S CERTNAME> --dns-alt-names <ALT NAME 1>,<ALT NAME 2>,...

    Re-start the Puppet Server service.

    • 0