Home > System Administration > Puppetmaster cert change

Puppetmaster cert change

Some day I will need this. Hat tip to Nan Liu.

From the puppet-users mailing list

Backup your puppet master ssl directory, so you can just retry if something didn’t go as planned.

# note all certificate alt names of the existing puppet master cert:
puppet cert -la | grep oldmaster
(alt names "DNS:puppet", "DNS:puppet-master", "DNS:puppet.mgmt", )
# remove your old puppet master cert.
puppet cert -c oldmaster
# search the ssl dir and it should not have any files with the oldmaster certname
# generate new master cert (same name as old one, but accept new_hostname in dns_alt_names):
puppet cert -g oldmaster --dns_alt_names=new_hostname,puppet,puppet-master,puppet.mgmt
# you may need to copy the files to some locations if you found files not removed after the cert clean step

At this point you can add a host entry on one of your agents and test via:
puppet agent -t –server new_hostname –noop

You should not have to touch any client cert, that’s only necessary if you need to change your CA cert which is a pain when it expires.



Categories: System Administration Tags: