I struggled with this for a few days before figuring it out, so I’ll post it here in hopes it saves someone a few minutes. When you install puppet and start the puppetmaster (webrick or rack-enabled) it generates a ssl cert for that machine and also generates a CA that you will use to sign all of your clients.
Recent versions of puppet do not add subjectAltNames to the server certificate when it’s generated by the puppetmaster process. This means that if you do not use the same name as your masters hostname to connect to puppet you will get a lovely cert mismatch. I posted a question on serverfault about this (here). It looks like the common practice for EC2 in particular is to use a uuid as the certname for each puppet client. This avoids name collisions and problems with hostnames changing everytime the instance is rebooted. It’s a little harder to keep track of since they aren’t very easy to remember, so caveat emptor.
We’ve been a big NAS shop for a number of years, actually well before I come on board. We are starting to use SAN more and more nowadays. We have a much more stable SAN fabric (the network side of fiber channel storage for those of you keeping score at home). So I spend several days before the break fighting with various SAN issues. Most of them were my lack of particular experience with our SAN implementation as well as host level tools. The pain of SAN comes largely from the host end. Your SAN device (even in our case with NetAPP) is probably pretty good at doing it’s end and is well documented. But on the linux side SAN is very vendor specific, which always leads to problems. For example if you are using an EMC you have to get supported HBAs then in some cases run a custom kernel to support that HBA and then you probably end up needed vendor specific tools for handling things. In my setup I don’t need a custom kernel, but we do have to support a small vendor package of tools. NetApp is actually pretty good when it comes linux supoprt, they package RPMs in most cases and stay current with versions as far as support.