If you are running Puppet in an environment that leverages multiple DNS records for the master possibly related to a DNS naming schema then you’ll likely run into an issue where the agent will complain that the master’s certificate does not match the actual hostname.
When a Puppet master is initially configured, it will use the hostname derived from the system by default. In order to support multiple hostnames on the certicate you’ll need to regenerate the cert.
If you are running puppet 4, the certs will be located in:
/etc/puppetlabs/puppet/ssl
Before doing anything, it’s recommended you make a backup of the ssl directory.
Then stop the puppetserver service.
sudo service puppetserver stop
From there we can locate all the existing server certs and remove them.
sudo find . -name "puppet.localdomain.pem" -exec rm -rf {} \;
Replace puppet.localdomain.pem with your hostname.
From there we can regenerate the new certs with multiple names.
sudo /opt/puppetlabs/bin/puppet cert generate puppetserver.localdomain --dns_alt_names=puppet.localdomain,puppet.lab.localdomain
Next check if your new certs are present. I just issue a find command to validate.
$find . -name puppetserver.localdomain.pem
./certs/puppetserver.localdomain.pem
./public_keys/puppetserver.localdomain.pem
./private_keys/puppetserver.localdomain.pem
./ca/signed/puppetserver.localdomain.pem
Check to see if the puppetserver will start after replacing.
sudo service puppetserver start
If it starts then you can invoke puppet agent runs and the hostname mismatches will be gone.