Pivotal Knowledge Base


Puppet sync failed with "hostname does not match the server certificate"


  • PHD 1.1.1 


Log file "/tmp/GPHDNodeInstaller_1391603635.log" shows the following puppet sync error on cluster node

merr: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: hostname does not match the server certificate^[[0m
merr: /File[/var/lib/puppet/lib]: Could not evaluate: hostname does not match the server certificate Could not retrieve file metadata for puppet://mdw.gphd.local/plugins: hostname does not match the server certificate^[[0m


PCC admins hostname was changed after installing PCC.  For example in this case PCC was installed on host "madw".  After installation we changed the hostname to "mdw".

The PCC installer will generate a SSL certificate authority for the puppet master service and the current hostname will be used to generate the certificate authority.  The hostname reference will be persisted in the following configuration files


    certname = madw


      SSLCertificateFile /var/lib/puppet/ssl-icm/certs/madw.pem
      SSLCertificateKeyFile /var/lib/puppet/ssl-icm/private_keys/madw.pem
      SSLCertificateChainFile /var/lib/puppet/ssl-icm/ca/ca_crt.pem
      SSLCACertificateFile /var/lib/puppet/ssl-icm/ca/ca_crt.pem
      SSLCARevocationFile /var/lib/puppet/ssl-icm/ca/ca_crl.pem

 When ever puppet signs a puppet agents certitificate request it will use the old "madw" hostname instead of the new hostname "mdw".  The puppet agent will then try to verifiy hostname "mdw" as the certificate authority and will fail because the certificate is signed with "madw" hostname.

[root@hdw1 certs]# openssl x509  -in /var/lib/puppet/ssl-icm/certs/ca.pem -text -noout
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Puppet CA: madw
            Not Before: Feb  4 11:17:26 2014 GMT
            Not After : Feb  4 11:17:26 2019 GMT
        Subject: CN=Puppet CA: madw
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)



Execute this procedure from PCC admin node

  1. Stop commander service
    • service commander stop
  2. Change the follow params in each file with the new hostname
    • /etc/puppet/puppet.conf:
      certname = mdw
      SSLCertificateFile /var/lib/puppet/ssl-icm/certs/mdw.pem
      SSLCertificateKeyFile /var/lib/puppet/ssl-icm/private_keys/mdw.pem
  3. Remove ssl-icm directory from PCC admin node
    • rm -rf /var/lib/puppet/ssl-icm
  4. Start puppet master service
    • service puppetmaster start
  5. Stop puppet master service
    • service puppetmaster stop
  6. Start commader service
    • service commader start






Powered by Zendesk