puppet node name using FQDN rather than short name

I recently deployed puppet to a host of machines and ran into an issue with getting one of the hosts to read the /catalog.

* puppet 2.7
* Amazon Linux

Wed Aug 14 22:11:39 +0000 2013 Puppet (err): Could not retrieve catalog from remote server: 
Error 403 on SERVER: Forbidden request: hostname.example.com.
(10.0.1.20) access to /catalog/hostname.example.com. [find] authenticated  at /etc/puppet/auth.conf:52

I was confused as to why the client was reporting using the fully qualified domain name and why it was failing to read the catalog while I had just deployed half a dozen other clients without any issues.

I was able to identify the problem as this client was the only client in the deployment with a search domain configured in /etc/resolv.conf. This resulted in the certificate being generated for the FQDN and the puppet client identifying itself using the FQDN where my node declarations were using the short hostname (via LDAP).

I ended up removing the search domain from the /etc/resolv.conf file to resolve this issue. It looks like the “right” answer might be to specify the node_name in puppet.conf to tell puppet how to identify each client although that might be less secure.

Have you encountered this issue? How have you solved it?

– josh

Leave a Reply

Your email address will not be published. Required fields are marked *