Puppet hostname doesn't match server certificate

I'm trying to set up a Ubuntu VM with puppet installed so I can locally test our production setup. I'm having trouble getting puppetmaster and puppet to talk to each other. Let me take you through my steps. (The server's hostname is a FQDN of the format "web1.xxx.xxx.net").

So firstly, I clear out all the pem files (except the CA pems of course) from the /etc/puppet/ssl directory so I can do a fresh start. puppetca --list returns no results.

Then, I run puppetd --test to generate a CSR for the puppetmaster. puppetca --list now includes my hostname ("web1.xxx.xxx.net").

Then I run puppetca --sign web1.xxx.xxx.net. Now puppetca --list is empty again -- everything working fine so far.

Lastly I run puppetd --test again. I get the following output:

err: Could not retrieve catalog from remote server: hostname was not match with the server certificate
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

Listing the contents of the /etc/puppet/ssl directory shows PEM files with the correct server name, which matches my hostname. Anyone have any ideas on how to attack this problem?


The error is because the client by default connects to the server hostname 'puppet' but the certificate presented does not have 'puppet' either as its subject or as a SubjectAltName attribute.

To fix it, you can (pick one):

  1. instead of initializing your puppetmaster's certificate by running puppetd, initialize it by running puppetmasterd -- this will cause the cert subject name to include "puppet".

  2. instead of leaving things to chance you can use puppetca --generate --certdnsnames puppet:puppet.mydomain.com web1.xx.xx.xx.net -- the certdnsnames option specifies a list of SubjectAltNames which will be included in the certificate; it should have a colon-separated list of any name that a client would use to contact the server.

  3. instead of just running puppetd --test on the client, run puppetd --test --server=web1.xx.xx.xx.net so the server name the client connects to is one that actually exists in the certificate presented by the server.

Check out masterzen's excellent blog entry for further troubleshooting: Puppet SSL Explained


Did you check the puppetmaster log file? I found the same problem, and found that the server logs the certificate info:

[2012-02-28 16:21:09] INFO  
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=ca
        Validity
            Not Before: Feb 26 16:32:46 2012 GMT
            Not After : Feb 24 16:32:46 2017 GMT
        Subject: CN=ubuntu.localdomain

The field Subject shows that the CN is "ubuntu.localdomain", so I executed the puppet by doing:

puppetd -t --server=ubuntu.localdomain --fqdn=myfqdn

Hope this helps :-)