menu

Questions & Answers

Puppet Server hostname 'puppetmaster' did not match server certificate

I'm trying to install puppet7 master and a client on 2 VirtualBox VM's following this guide https://tecadmin.net/how-to-install-puppet-on-ubuntu-20-04/. When I start puppet on the client I get this error. Note the trailing period.

Server hostname 'puppetmaster' did not match server certificate; expected one of puppetmaster.

Listing certnames on the master

sudo /opt/puppetlabs/bin/puppetserver ca list --all 
Signed Certificates:
    puppetmaster.   

How can I fix the mismatch?

edit: Attempting to run the commands suggested below I get

mark@puppetmaster:~$ puppetserver ca clean --certname puppetmaster.
Traceback (most recent call last):
    9: from /opt/puppetlabs/server/apps/puppetserver/cli/apps/ca:5:in `<main>'
    8: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/cli.rb:100:in `run'
    7: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/action/clean.rb:91:in `run'
    6: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/action/clean.rb:103:in `clean_certs'
    5: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/action/clean.rb:103:in `new'
    4: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/certificate_authority.rb:26:in `initialize'
    3: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/certificate_authority.rb:26:in `new'
    2: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/utils/http_client.rb:25:in `initialize'
    1: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/utils/http_client.rb:156:in `make_store'
/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/utils/http_client.rb:156:in `add_file': system lib (OpenSSL::X509::StoreError)
mark@puppetmaster:~$ sudo puppetserver ca clean --certname puppetmaster.
[sudo] password for mark: 
sudo: puppetserver: command not found

I successfully ran the commands in the answer but the incorrect certificate was not removed.

mark@puppetmaster:~$ sudo -i
[sudo] password for mark: 
root@puppetmaster:~# puppetserver ca clean --certname puppetmaster.
Certificate for puppetmaster. has been revoked
Cleaned files related to puppetmaster.
root@puppetmaster:~# puppet ssl clean
Notice: Removed private key /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster..pem
Notice: Removed public key /etc/puppetlabs/puppet/ssl/public_keys/puppetmaster..pem
Notice: Removed certificate /etc/puppetlabs/puppet/ssl/certs/puppetmaster..pem
root@puppetmaster:~# puppet resource service puppetserver ensure=stopped
Notice: /Service[puppetserver]/ensure: ensure changed 'running' to 'stopped'
service { 'puppetserver':
  ensure   => 'stopped',
  provider => 'systemd',
}
root@puppetmaster:~# puppetserver ca generate --certname puppetmaster --ca-client
Successfully saved certificate for puppetmaster to /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem
Successfully saved certificate for puppetmaster to /etc/puppetlabs/puppetserver/ca/signed/puppetmaster.pem
Successfully saved private key for puppetmaster to /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster.pem
Successfully saved public key for puppetmaster to /etc/puppetlabs/puppet/ssl/public_keys/puppetmaster.pem
root@puppetmaster:~# puppet resource service puppetserver ensure=running
Notice: /Service[puppetserver]/ensure: ensure changed 'stopped' to 'running'
service { 'puppetserver':
  ensure   => 'running',
  provider => 'systemd',
}
root@puppetmaster:~# sudo /opt/puppetlabs/bin/puppetserver ca list --all
Signed Certificates:
    puppetmaster.       (SHA256)  0B:E3:DC:2D:52:27:D9:D9:A1:18:9D:AB:74:07:50:86:E5:7C:32:5C:6F:A1:23:75:3D:4C:C3:90:7D:4D:08:BF   alt names: ["DNS:puppet", "DNS:puppetmaster."]  authorization extensions: [pp_cli_auth: true]
    puppetmaster        (SHA256)  06:EF:8C:3C:6D:83:CA:7A:C9:A4:39:02:DA:7B:F5:E6:D4:3C:27:B3:80:82:EB:4D:C0:92:99:37:F3:D2:96:F2   alt names: ["DNS:puppetmaster"] authorization extensions: [pp_cli_auth: true]
root@puppetmaster:~# sudo /opt/puppetlabs/bin/puppetserver ca sign --all 
Error:
    No waiting certificate requests to sign

On the agent, I still get the same error

mark@puppetclient:~$ sudo systemctl status puppet 
[sudo] password for mark: 
● puppet.service - Puppet agent
     Loaded: loaded (/lib/systemd/system/puppet.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-01-16 16:53:07 UTC; 1min 6s ago
       Docs: man:puppet-agent(8)
   Main PID: 654 (puppet)
      Tasks: 1 (limit: 2237)
     Memory: 83.4M
        CPU: 1.485s
     CGroup: /system.slice/puppet.service
             └─654 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent --no-daemonize

Jan 16 16:53:07 puppetclient systemd[1]: Started Puppet agent.
Jan 16 16:53:13 puppetclient puppet-agent[654]: Starting Puppet client version 7.21.0
Jan 16 16:53:13 puppetclient puppet-agent[654]: Server hostname 'puppetmaster' did not match server certificate; expected one of puppetmaster., DNS:puppet, DNS:puppetmaster.
Answers(1) :

I'm not sure how you ended up at the point you did, but I agree that the trailing period in the server's certname looks like the source of the issue. You probably need to regenerate the server's agent cert. (The agent cert is used to authenticate machines to each other, both client and server). The linked docs provide more detail, but the basic steps are:

  1. Revoke and remove the current server certificate

    puppetserver ca clean --certname puppetmaster.
    
  2. Remove the agent-side copy of the cert and its associated metadata

    puppet ssl clean
    
  3. Stop the puppetserver service. You may use the appropriate service-management tool directly (systemctl for Ubuntu 20) but Puppet recommends using puppet resource:

    puppet resource service puppetserver ensure=stopped
    
  4. Generate a new, signed certificate for the server:

    puppetserver ca generate --certname <new-certname> [--subject-alt-names <comma-delimited-DNS-names>] --ca-client
    

    When you do this, make sure that either the specified --certname or one of the specified --subject-alt-names, if any, exactly matches the name your clients will use to connect to the server. Note also that if you specify a certname explicitly in the server's puppet.conf then it, too, will need to match the certname specified here.

Although it's not technically part of regenerating the cert, presumably you will afterward want to

  1. Restart the puppetserver service. For example, via

    puppet resource service puppetserver ensure=running
    
Comments:
2023-01-17 00:50:06
Please see error above. I followed the guide exactly on Ubuntu 22.04.
2023-01-17 00:50:06
@markhorrocks, sudo <command> gets you a clean environment for the command. Instead, use sudo -i to obtain a root shell with all the default environment configuration, and run the appropriate Puppet commands there. Also remember this if ever you want to run puppet agent from the command line.
2023-01-17 00:50:06
The error on the client persists, see edits to my question. A client reboot did not help.
2023-01-17 00:50:06
@markhorrocks, Make sure the server's puppet.conf does not specify puppetmaster. as that machine's certname, as already described in this answer. If you apply a change, then restart puppetserver afterward. You may also need to clean out the client's certificates, which may include a copy of the server's old cert. I had supposed that the old server cert would not be kept because of the previous rejection, but that's not certain.
2023-01-17 00:50:06
Alternatively, @markhorrocks, you might have better luck if you used fully-qualified hostnames as I recommended previously, both as the machines' own sense of their hostnames and in your Puppet certificates and configuration.
2023-01-17 00:50:06
@markhorrocks Based on your current question information and the answer above, I would hypothesize that step 4 in the answer was unsuccessfully executed since the cert is associated with the incorrect name (but perhaps correct SANs).