Tuesday, 26 September 2017

Changing a puppet master certificate

In the event you want to change a puppet server's hostname you will need to also generate a new certificate and re-issue a certificate to each of it's agents.

Firstly delete the existing certificate on the puppet master:

rm -Rf /etc/puppetlabs/puppet/ssl/

and on the puppetserver / CA issue:

sudo puppet cert destroy <puppetserver.tld>

and then on the puppetserver generate a new CA with:

puppet cert generate puppetserver.int --dns_alt_names=puppetserver,puppetdb

start the server:

puppet master --no-daemonize --debug

and on each puppet agent generate a new certificate - but firstly ensure existing old CA certs etc. have been removed.

Run the following on the master:

puppet cert clean client01

and the following on the client:

sudo service puppet stop
rm -Rf /etc/puppetlabs/puppet/ssl
rm -Rf /opt/puppetlabs/puppet/cache/client_data/catalog/client01.json
sudo service puppet start

puppet agent --test --dns_alt_names=puppetserver,puppetdb

And finally sign them on the puppet

puppet cert --list

puppet cert --allow-dns-alt-names sign puppetserver.int

puppet cert --allow-dns-alt-names sign puppetagent01.int

puppet cert --allow-dns-alt-names sign puppetagent02.int

and so on...

If you are using PuppetDB you will also need to ensure it's using the latest CA cert:

rm -Rf /etc/puppetlabs/puppetdb/ssl

puppetdb ssl-setup


Post a Comment