This message was deleted.

I've got a little home lab that's got 20 puppet agents checking into a master, I've just noticed a glitch on 2 nodes, all the nodes check in and request a certificate from the puppet master as $node.$fqdn, and all nodes have a valid certificate, however 2 nodes, (which have a signed certificate on the puppet master as $node.$fqdn) continue to make a request to the puppet master for a certificate of just $node (so no fqdn suffix) puppet.conf on the client has certname as $node.$fqdn so that's fine, but in /etc/puppetlabs/puppet/ssl/certificate_requests on the client there is a $node.pem file, if I delete it, it comes back, if I delete the certificate request from the puppet master, it gets rerequested

I don't understand why 2 nodes that have valid certificates are also requesting an additional certificate without the fqdn suffix, and what's causing that certificate request file to be recreated

any thoughts on what could be driving the client to a.) request a second certificate even though it's got a valid cert on the master and the catalogue is being executed just fine b.) why the client's second request is from hostname, not hostname -f

Does anyone know how to submit a Puppet documentation change suggestion? I tried submitting a Pull Request, but it got rejected because I didn't begin the commit message with a reference to a tickets.puppetlabs.com issue. When I go to https://tickets.puppetlabs.com/ I see a message saying (sic):

The migration to Perforce's Jira Cloud instance is complete. This Jira instance has now been made read-only.

For a short period of time, public issues will unavailable. Updates will be posted here and the Puppet Community Slack when they are available.

The https://perforce.atlassian.net page gives no clue as to how I should raise a Puppet ticket. Searching for "puppet" on that page yields a suggestion that I open a case with HR Service Desk.

puppet uses DNS to determine certname, if it's not configured

so these two nodes have different dns configuration or settings

dns is working just fine from what I can see, what lookup function would determine the certificate name ?

I although thought the certificate name would have to be what was set in certname in puppet.conf

that last statement is correct

and what is set there?

$node.$fqdn

in which section did you set it?

can you share the whole puppt.conf?

just validated puppetmaster and puppet client can both forward and reverse lookup the hostname

of course

certname

set in the

main

section of

puppet.conf

should be what gets used.

If

certname

is not set, the default is determined from DNS on the agent.

# puppet.conf managed by puppet class cfg_puppet_conf

# do not put changes in here - they will be overwritten [main] [agent] pluginsync = true report = true ca_server = jarvis.no-dns.co.uk certname = tain.no-dns.co.uk environment = production server = jarvis.no-dns.co.uk runinterval = 5m ~

Set it in

main

.

WOW

all this time, I'd set it in agent

been a long time since I needed to look up the config like that, I should have looked it up sooner

thank you

I'll set it now

although.....if it's missing (as it is because it's set incorrectly in agent) it should fall back to DNS ?

DNS resolves as the fqdn

so even then it should have the fqdn (I'll still correct my error of course)

I think it uses

hostname -f