Puppetmaster cert change
August 6th, 2014
No comments
Some day I will need this. Hat tip to Nan Liu.
From the puppet-users mailing list
Backup your puppet master ssl directory, so you can just retry if something didn’t go as planned.
# note all certificate alt names of the existing puppet master cert: puppet cert -la | grep oldmaster (alt names "DNS:puppet", "DNS:puppet-master", "DNS:puppet.mgmt", ) ... # remove your old puppet master cert. puppet cert -c oldmaster # search the ssl dir and it should not have any files with the oldmaster certname # generate new master cert (same name as old one, but accept new_hostname in dns_alt_names): puppet cert -g oldmaster --dns_alt_names=new_hostname,puppet,puppet-master,puppet.mgmt # you may need to copy the files to some locations if you found files not removed after the cert clean step |
At this point you can add a host entry on one of your agents and test via:
puppet agent -t –server new_hostname –noop
You should not have to touch any client cert, that’s only necessary if you need to change your CA cert which is a pain when it expires.
HTH,
Nan
Categories: System Administration
Recent Comments