I generate my own certificates before starting my Puppet Master and Agent like so:
puppet cert generate --path "$PATH" --dns_alt_names "hostname,hostname.domain.com,puppet,puppet.domain.com" hostname.domain.com
This notifies me that the certificate is generated and signed:
Notice: Signed certificate request for ca
Notice: hostname.domain.com has a waiting certificate request
Notice: Signed certificate request for hostname.domain.com
Notice: Removing file Puppet::SSL::CertificateRequest hostname.domain.com at '/var/lib/puppet/ssl/ca/requests/hostname.domain.com.pem'
Notice: Removing file Puppet::SSL::CertificateRequest hostname.domain.com at '/var/lib/puppet/ssl/certificate_requests/hostname.domain.com.pem'
I then start my master, and I see the following in the logs:
Aug 7 02:15:17 kungfumaster puppet-master[638]: .domain.com has a waiting certificate request
Aug 7 02:15:17 kungfumaster puppet-master[638]: Signed certificate request for .domain.com
Aug 7 02:15:17 kungfumaster puppet-master[638]: Removing file Puppet::SSL::CertificateRequest .domain.com at '/var/lib/puppet/ssl/ca/requests/.domain.com.pem'
Aug 7 02:15:17 kungfumaster puppet-master[638]: Removing file Puppet::SSL::CertificateRequest .domain.com at '/var/lib/puppet/ssl/certificate_requests/.domain.com.pem'
For some reason, my Puppet Master process is creating and signing a `.domain.com` certificate and adding that to the certificate authority.
Why is it doing this? Is this normal, expected functionality from the Puppet Master? What is this SSL certificate used for, as it isn't associated with any full domain name?
↧