This section provides guidance for when the Puppet server is behind a NAT but is managing hosts outside the NAT.
Your puppet server certificate must have all names in it that are used by any client. To update your certificates follow the guidance:
Add the alternative certificate names (in a comma-seperated list) in /etc/puppet/puppet.conf
[main]
dns_alt_names = hostname.your.domain,hostname.your.other.domain
Regenerate ALL certificates on Puppet:
http://docs.puppetlabs.com/puppet/3.8/reference/ssl_regenerate_certificates.html
In Section 2 of the web page above that says update your Puppetdb certificates follow the instructions in Step 3, option A at this location: