I've run into a bit of a tangle.
I currently have two puppet masters which are "load balanced" with round
robin DNS (one is also the CA). I'm using dns_alt_names to let them each
answer to puppet.my.domain.com
For the past year this has been fine.
About a week ago I tried to add a third & while all my Linux clients are
happy with the new arrangement, my smaller number of FreeBSD9 systems fail
puppet-agent: Failed to apply catalog: SSL_connect returned=1
errno=0 state=SSLv2/v3 read server hello A: (null)
when hitting the newly deployed server. If I give the specific host name
as the --server argument (rather than the alternative name that get the
round robin dns) puppet agent connects runs properly.
I've tracked this down to the FreeBSD client using SNI where as the Linux
clients do not and the older servers don't support SNI so it is ignored.
All server are using apache mod_ssl and passenger, but I'm not sure how to
I could generate a "puppet.my.domain.com" certificate, distribute it to all
the servers and set up name based virtual hosts that SNI is designed to
facilitate, but then I can't selectively revoke the certs if there's a
security issue with one server, so I'd rather keep my per host certificates
This is probably more of an apache question now, but does anyone here know
how to get Apache to accept an SNI for a name that is a dns_alt_name of a
cert rather than the CN? Or more puppetly if there's a config option to
not send an SNI from the client? Though that seems the wrong way to fix
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firstname.lastname@example.org.
To post to this group, send email to email@example.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.