Do you even need to do this? Can't you just use the certname configuration variable on the puppetmaster and just set it to the old name?
On Wednesday, August 6, 2014 3:40:38 AM UTC+7, Jose Luis Ledesma wrote: > > +1 > You don't need to re-register all clients. Just generate a new cert for > the master with both old and new name and sign in. > > Regards > El 05/08/2014 19:29, "Nan Liu" <[email protected] <javascript:>> escribió: > >> On Tue, Aug 5, 2014 at 10:11 AM, Gabriel Filion <[email protected] >> <javascript:>> wrote: >> >>> Hey there, >>> >>> On 05/08/14 10:45 AM, Danny Roberts wrote: >>> > We have a requirement to change the Host name of our Puppet Master (not >>> > a great idea but sadly out of my control). I could not find any >>> > documentation on this subject, does nayone know the process for doing >>> > something like this? >>> > >>> > Or would it need to be a complete rebuild then re-import of our Puppet >>> code? >>> >>> I did this some time ago and ended using the "stupid" method. So if >>> there's a better way than what I'll describe, please someone step in. >>> >>> What really matters when you rename your master is your master SSL >>> certificate. Clients will be verifying if the puppet master's hostname >>> matches the one advertised by the certificate. >>> >>> So when I changed the hostname, I had to create a new certificate for >>> the master, and then recreate certificates for clients and >>> "re-registering" all clients to the master. e.g.: >>> >>> on all clients: >>> * wipe out /var/lib/puppet/ssl >>> * run puppet agent -t --waitforcert 10 >>> * on master, sign client certificate >>> >>> this was very time-consuming though. >>> >> >> Please don't resign all client certificates. All you need to do is >> recreate a puppet master certificate with dns alt name accepting both the >> old and new puppet master hostname. Because passenger and other >> configuration may already refer to the existing pem file name, it's easier >> to just add the new hostname to the dns_alt_names accept list: >> >> Backup your puppet master ssl directory, so you can just retry if >> something didn't go as planned. >> >> # note all certificate alt names of the existing puppet master cert: >> puppet cert -la | grep oldmaster >> (alt names "DNS:puppet", "DNS:puppet-master", "DNS:puppet.mgmt", ) >> ... >> >> # remove your old puppet master cert. >> puppet cert -c oldmaster >> >> # search the ssl dir and it should not have any files with the oldmaster >> certname >> >> # generate new master cert (same name as old one, but accept new_hostname >> in dns_alt_names): >> puppet cert -g oldmaster >> --dns_alt_names=new_hostname,puppet,puppet-master,puppet.mgmt >> >> # you may need to copy the files to some locations if you found files not >> removed after the cert clean step >> >> At this point you can add a host entry on one of your agents and test via: >> puppet agent -t --server new_hostname --noop >> >> You should not have to touch any client cert, that's only necessary if >> you need to change your CA cert which is a pain when it expires. >> >> HTH, >> >> Nan >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/CACqVBqCAUEdWujqa6UW%2BfzgJ1y3Db5bjGSOE8Qh5UU_ErqUhCw%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/puppet-users/CACqVBqCAUEdWujqa6UW%2BfzgJ1y3Db5bjGSOE8Qh5UU_ErqUhCw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e3813e2f-832e-4c61-bd97-367dc71f1d45%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
