Puppet how is a certname determined?

Question

How exactly are the default Puppet cert-names generated?

I always assumed it was simply the hostname but when changing the router a device uses I noticed it changed in the following pattern.

oldCertName -> oldCertName.ccapcable.com

Where ccapcable.com is the name of the Internet provider. This has caused some trouble as it is now a new entry on PuppetDb.

Answer 1

Puppet indeed does use the hostname as the default certname. Note well that it accepts whatever the machine says is its hostname. In particular, if the machine obtains its hostname via DHCP or some other dynamic mechanism, then its hostname -- and therefore its default certname -- may occasionally change.

Moreover, do not confuse a machine's hostname with its qualified or unqualified DNS domain name. There is no requirement for them to agree. In fact, although it is common for machines' host names to agree with either their simple or their fully-qualified domain names, there is no standardization or general convention for which one they should agree with.

As you probably have gathered, I have a speculation about what happened here. I suspect that:

1. Your machine gets its hostname via DHCP
2. Because of or in conjunction with the router change, your DHCP service provider changed the format of the dynamic hostname it issues, from an unqualified one to a qualified one.
3. Since it relies on the default certname, your machine's certname changed as well.