In the event you want to change a puppet server's hostname you will need to also generate a new certificate and re-issue a certificate to each of it's agents.
Firstly delete the existing certificate on the puppet master:
rm -Rf /etc/puppetlabs/puppet/ssl/
and on the puppetserver / CA issue:
sudo puppet cert destroy <puppetserver.tld>
and then on the puppetserver generate a new CA with:
puppet cert generate puppetserver.int --dns_alt_names=puppetserver,puppetdb
start the server:
puppet master --no-daemonize --debug
and on each puppet agent generate a new certificate - but firstly ensure existing old CA certs etc. have been removed.
Run the following on the master:
puppet cert clean client01
and the following on the client:
sudo service puppet stop
rm -Rf /etc/puppetlabs/puppet/ssl
rm -Rf /opt/puppetlabs/puppet/cache/client_data/catalog/client01.json
sudo service puppet start
puppet agent --test --dns_alt_names=puppetserver,puppetdb
And finally sign them on the puppet
puppet cert --list
puppet cert --allow-dns-alt-names sign puppetserver.int
puppet cert --allow-dns-alt-names sign puppetagent01.int
puppet cert --allow-dns-alt-names sign puppetagent02.int
and so on...
If you are using PuppetDB you will also need to ensure it's using the latest CA cert:
rm -Rf /etc/puppetlabs/puppetdb/ssl
puppetdb ssl-setup
No comments:
Post a Comment