+1 You don't need to re-register all clients. Just generate a new cert for the master with both old and new name and sign in.
Regards El 05/08/2014 19:29, "Nan Liu" <[email protected]> escribió: > On Tue, Aug 5, 2014 at 10:11 AM, Gabriel Filion <[email protected]> > wrote: > >> Hey there, >> >> On 05/08/14 10:45 AM, Danny Roberts wrote: >> > We have a requirement to change the Host name of our Puppet Master (not >> > a great idea but sadly out of my control). I could not find any >> > documentation on this subject, does nayone know the process for doing >> > something like this? >> > >> > Or would it need to be a complete rebuild then re-import of our Puppet >> code? >> >> I did this some time ago and ended using the "stupid" method. So if >> there's a better way than what I'll describe, please someone step in. >> >> What really matters when you rename your master is your master SSL >> certificate. Clients will be verifying if the puppet master's hostname >> matches the one advertised by the certificate. >> >> So when I changed the hostname, I had to create a new certificate for >> the master, and then recreate certificates for clients and >> "re-registering" all clients to the master. e.g.: >> >> on all clients: >> * wipe out /var/lib/puppet/ssl >> * run puppet agent -t --waitforcert 10 >> * on master, sign client certificate >> >> this was very time-consuming though. >> > > Please don't resign all client certificates. All you need to do is > recreate a puppet master certificate with dns alt name accepting both the > old and new puppet master hostname. Because passenger and other > configuration may already refer to the existing pem file name, it's easier > to just add the new hostname to the dns_alt_names accept list: > > Backup your puppet master ssl directory, so you can just retry if > something didn't go as planned. > > # note all certificate alt names of the existing puppet master cert: > puppet cert -la | grep oldmaster > (alt names "DNS:puppet", "DNS:puppet-master", "DNS:puppet.mgmt", ) > ... > > # remove your old puppet master cert. > puppet cert -c oldmaster > > # search the ssl dir and it should not have any files with the oldmaster > certname > > # generate new master cert (same name as old one, but accept new_hostname > in dns_alt_names): > puppet cert -g oldmaster > --dns_alt_names=new_hostname,puppet,puppet-master,puppet.mgmt > > # you may need to copy the files to some locations if you found files not > removed after the cert clean step > > At this point you can add a host entry on one of your agents and test via: > puppet agent -t --server new_hostname --noop > > You should not have to touch any client cert, that's only necessary if you > need to change your CA cert which is a pain when it expires. > > HTH, > > Nan > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CACqVBqCAUEdWujqa6UW%2BfzgJ1y3Db5bjGSOE8Qh5UU_ErqUhCw%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-users/CACqVBqCAUEdWujqa6UW%2BfzgJ1y3Db5bjGSOE8Qh5UU_ErqUhCw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAF_B3df6HjApiN%2B_Fv%3DjJ71d4zs9cdVVOvbec9LAOhGyBwNiFQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
