How to add multiple dns names to my puppetmaster?

Question

my puppet.conf on the master

[master]
certname = myname.mydomain.com
ca_server = myname.mydomain.com
certdnsnames = puppet;puppet.local;myname.dyndns.org;hivemind.local;

for my understanding with the certdnsnames defined the following should work:

puppet agent --server myname.dyndns.org --test

but i get the following error:

err: Could not retrieve catalog from remote server: hostname was not match with the server certificate

how to avoid this error? how to correctly define certdnsnames? i have found diffent documentation about this, but no simple example. i i use "," for seperation i cannot sign at all. i also have seen a syntax like

certdnsnames = puppet:puppet.intra.myserver.fr,puppet.myserver.fr:puppet,puppet:puppet,puppet.intra.myserver.fr,puppet.myserver.fr

http://projects.puppetlabs.com/issues/5776

but for me its not clear when to add a "puppet:" and when not.

Answer 1

For the benefit of anyone else who stumbles upon this answer:

Due to CVE-2011-3872, Puppet no longer supports the certdnsnames option. From the documentation:

The certdnsnames setting is no longer functional, after CVE-2011-3872. We ignore the value completely. For your own certificate request you can set dns_alt_names in the configuration and it will apply locally. There is no configuration option to set DNS alt names, or any other subjectAltName value, for another nodes certificate. Alternately you can use the --dns_alt_names command line option to set the labels added while generating your own CSR.

You can generate an SSL certificate for your server using subjectAlternativeName like this:

$ puppet cert generate <puppet master's certname> --dns_alt_names=<comma-separated list of DNS names>

Answer 2

For Puppet 4+ use the following commands to change the accepted dns names for the puppetserver certificate:

Rename existing certificates to *.backup:

mv /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem{,.backup}
mv /etc/puppetlabs/puppet/ssl/ca/signed/$(hostname -f).pem{,.backup}
mv /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem{,.backup}

generate new certificate (add your desired alt names):

puppet cert generate $(hostname -f) --dns_alt_names=$(hostname -f),puppet

restart puppetserver to use new certificates

service puppetserver restart

Answer 3

• Firstly, certdnsnames is a colon-separated list.
• Secondly, this error comes up because agent is contacting master using a hostname that wasn't included when the certificate was signed: http://docs.puppetlabs.com/guides/troubleshooting.html

Answer 4

I'm not sure about whether Greg Bray's answer works - but this one is ripped straight from the current documentation:

dns_alt_names — A list of hostnames the server is allowed to use when acting as a primary server. The hostname your agents use in their server setting must be included in either this setting or the primary server’s certname setting. Note that this setting is only used when initially generating the primary server’s certificate — if you need to change the DNS names, you must:

Turn off the Puppet Server service (or your Rack server).

Run: sudo puppetserver ca clean <SERVER'S CERTNAME>

Run: sudo puppetserver ca generate <SERVER'S CERTNAME> --dns-alt-names <ALT NAME 1>,<ALT NAME 2>,...

Re-start the Puppet Server service.

Answer 5

According to

puppet agent --genconfig

you must use a colon-separated (":" not ";") list.

So it should be

certdnsnames = 'puppet:puppet.local:myname.dyndns.org:hivemind.local'

HTH

Answer 6

To add a SAN entry to the puppet server cert use:

systemctl stop puppetserver
puppetserver ca setup --subject-alt-names $(hostname -f),puppet
systemctl start puppetserver

may need to clear out existing certs via rm -rf $(puppet master --configprint ssldir) as well