I recently deployed puppet to a host of machines and ran into an issue with getting one of the hosts to read the /catalog.
* puppet 2.7
* Amazon Linux
Wed Aug 14 22:11:39 +0000 2013 Puppet (err): Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: hostname.example.com. (10.0.1.20) access to /catalog/hostname.example.com. [find] authenticated at /etc/puppet/auth.conf:52
I was confused as to why the client was reporting using the fully qualified domain name and why it was failing to read the catalog while I had just deployed half a dozen other clients without any issues.
I was able to identify the problem as this client was the only client in the deployment with a search domain configured in /etc/resolv.conf. This resulted in the certificate being generated for the FQDN and the puppet client identifying itself using the FQDN where my node declarations were using the short hostname (via LDAP).
I ended up removing the search domain from the /etc/resolv.conf file to resolve this issue. It looks like the “right” answer might be to specify the node_name in puppet.conf to tell puppet how to identify each client although that might be less secure.
Have you encountered this issue? How have you solved it?