Due to political reasons above the technical layer, the bareword puppet does not resolve to the correct puppetmaster for parts of our infrastructure. These areas have their own, independent puppetmaster and CA. Today I discovered that... we did something wrong somewhere.
Running this command on an agent-machine in one of these areas:
puppet certificate_revocation_list find crl --terminus rest
Give me an error similar to this one:
Error: Could not call 'find' on 'certificate_revocation_list': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster-wrong.example.com]
When I try to run the puppet agent, I get a very similar one:
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster-right.example.com]
During the troubleshooting for this I found a command I wasn't aware of...
puppet config print ca_server
Which returns the bareword puppet. This is when the swearing happened, since puppet is a CNAME to puppetmaster-wrong.example.com. I have learned that I should have had ca_server = puppetmaster-right.example.com in our puppet.conf files all along, but never knew I had to have it in there.
This is the second such environment I'm setting up, and it is well broken.
The first one, set up the same, seems to work. And I don't know why. It's also some 300ms away from puppetmaster-wrong, so that may play part of it.
Is this a case of "burn it to the ground and do it right this time" (ca_server set from the beginning) or is this something I can dig myself out out of?
