When working with Puppet's certificate-based authentication system, one common pain point emerges during the initial agent setup phase. The error message Certificates were not trusted: hostname was not match with the server certificate typically occurs when Puppet agent cannot verify the master's identity through SSL certificate validation.
The certificate trust issue stems from a mismatch between:
- The DNS name the agent uses to connect to the master
- The Subject Alternative Name (SAN) in the master's certificate
In your specific case, while your master server is named 'puppet' and client is 'puppetclient', the certificate validation fails because either:
1. The master's cert doesn't include 'puppet' as a valid SAN
2. The agent isn't resolving 'puppet' to the correct IPFirst, verify your master's certificate details:
sudo puppet cert list --all | grep puppet
sudo openssl x509 -in /var/lib/puppet/ssl/certs/puppet.pem -text | grep DNSThen check DNS resolution on the agent:
nslookup puppet
ping -c 1 puppetOption 1: Configure certname properly
Edit /etc/puppet/puppet.conf on both master and agent:
[main]
certname = puppet.yourdomain.com
server = puppet.yourdomain.comThen regenerate certificates:
sudo rm -rf /var/lib/puppet/ssl
sudo puppet agent -tOption 2: Use DNS CNAME records
Create a CNAME record that points 'puppet' to your master's FQDN:
puppet IN CNAME puppetmaster01.yourdomain.com.For complex environments, consider these puppet.conf settings:
[master]
dns_alt_names = puppet,puppet.yourdomain.com,puppetmaster,puppetmaster.local
autosign = trueThen regenerate master cert with alt names:
sudo puppet cert generate puppet --dns_alt_names=puppet,puppet.yourdomain.comAfter implementing changes, test with:
sudo puppet agent --test --debug 2>&1 | grep 'Server hostname'You should see successful verification like:
Debug: Connecting to https://puppet:8140
Debug: Server hostname was verified match in certificateWhen working with Puppet's certificate-based authentication system, one of the most common yet confusing errors occurs during the agent-master handshake:
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources during transaction:
Certificates were not trusted: hostname was not match with the server certificate
This typically manifests after certificate signing when the agent attempts its second run with sudo puppetd --waitforcert 60 --test.
Puppet uses X.509 certificates for secure communication between agents and masters. The validation fails when:
- The certificate's Subject Alternative Name (SAN) or Common Name (CN) doesn't match the server's hostname
- DNS resolution isn't properly configured between nodes
- The agent attempts to verify the master's identity against an unexpected name
For a basic two-node setup (puppetmaster 'puppet' and agent 'puppetclient'), ensure these fundamentals:
# On both nodes' /etc/hosts:
192.168.1.10 puppet puppet.example.com
192.168.1.20 puppetclient puppetclient.example.com
# On puppetmaster's puppet.conf:
[master]
certname = puppet.example.com
server = puppet.example.com
dns_alt_names = puppet,puppet.example.com
# On agent's puppet.conf:
[agent]
certname = puppetclient.example.com
server = puppet.example.com
When facing the hostname mismatch:
# Verify certificate details
sudo puppet cert list --all
# Check the actual certificate content
sudo openssl x509 -in /var/lib/puppet/ssl/certs/puppet.pem -text -noout
# Test DNS resolution
host puppet
host puppet.example.com
For complex environments, consider these settings:
[agent]
# Disable strict hostname verification (not recommended for production)
strict_hostname_checking = false
# Alternative certificate naming
use_cached_catalog = true
Here's the full cleanup and regeneration process:
# On agent:
sudo rm -rf /var/lib/puppet/ssl
sudo puppet agent --test --waitforcert 60
# On master:
sudo puppet cert list
sudo puppet cert sign puppetclient.example.com
# Final verification
sudo puppet agent --test
Remember to restart the puppetmaster service after certificate changes:
sudo systemctl restart puppetserver