How to generate Puppet SSL certificate with “Alternative Name”
I needed to add DNS Alt name in order to setup a full SSL comunication between my 2 Foreman servers et their proxies.
My problem was that my Foreman servers are used in faillover (with a VIP) and the clients use a generic DNS record and not directly
their FQDN. This was a problem because the address didn’t match with the certificate’s CN.
In order to fix that, I seted up a Puppet certificate where CN is the FQDN of the server (ie: foreman1.example.com) and which have an
‘Subject Alternative Name’ with VIP address (ie: foreman.example.com).
This is really simple to do but not that easy to find on the internet:
You first need to revoke the certicate on the master and remove it on the client :
On the client (on Debian):
# rm -rf /var/lib/puppet/ssl
On the master:
# puppet cert clean foreman1.example.com
You should add to the client’s puppet.conf the following:
dns_alt_names = foreman.example.com
The you need to kick puppet on the client to force a new certificate generation and ask to the puppet master to sign it:
# puppet agent -t --report --pluginsync
On the master, you can see the certificate signing request and sign it:
# puppet cert list "foreman1.example.com" (SHA256) 2C:76:5B:85:67:28:1C:92:48:AA:10:22:44:C7:9B:A7:0D:9B:E2:A5:5F:10:71:87:B9:3F:46:E4:70:4B:43:6C (alt names: "DNS:foreman.example.com", "DNS:foreman1.example.com") # puppet cert sign devshinken4.yzserv.com --allow-dns-alt-names
You now have a Puppet CA signed certificate with DNS Alt Name.