Actually, disregard, I'm thinking of the client side. -- Jake Lundberg Senior Systems Engineer [email protected] +1.310.382.5581
On Wed, Aug 6, 2014 at 11:12 PM, Jake Lundberg <[email protected]> wrote: > Do you even need to do this? Can't you just use the certname > configuration variable on the puppetmaster and just set it to the old name? > > > On Wednesday, August 6, 2014 3:40:38 AM UTC+7, Jose Luis Ledesma wrote: >> >> +1 >> You don't need to re-register all clients. Just generate a new cert for >> the master with both old and new name and sign in. >> >> Regards >> El 05/08/2014 19:29, "Nan Liu" <[email protected]> escribió: >> >>> On Tue, Aug 5, 2014 at 10:11 AM, Gabriel Filion <[email protected]> >>> wrote: >>> >>>> Hey there, >>>> >>>> On 05/08/14 10:45 AM, Danny Roberts wrote: >>>> > We have a requirement to change the Host name of our Puppet Master >>>> (not >>>> > a great idea but sadly out of my control). I could not find any >>>> > documentation on this subject, does nayone know the process for doing >>>> > something like this? >>>> > >>>> > Or would it need to be a complete rebuild then re-import of our >>>> Puppet code? >>>> >>>> I did this some time ago and ended using the "stupid" method. So if >>>> there's a better way than what I'll describe, please someone step in. >>>> >>>> What really matters when you rename your master is your master SSL >>>> certificate. Clients will be verifying if the puppet master's hostname >>>> matches the one advertised by the certificate. >>>> >>>> So when I changed the hostname, I had to create a new certificate for >>>> the master, and then recreate certificates for clients and >>>> "re-registering" all clients to the master. e.g.: >>>> >>>> on all clients: >>>> * wipe out /var/lib/puppet/ssl >>>> * run puppet agent -t --waitforcert 10 >>>> * on master, sign client certificate >>>> >>>> this was very time-consuming though. >>>> >>> >>> Please don't resign all client certificates. All you need to do is >>> recreate a puppet master certificate with dns alt name accepting both the >>> old and new puppet master hostname. Because passenger and other >>> configuration may already refer to the existing pem file name, it's easier >>> to just add the new hostname to the dns_alt_names accept list: >>> >>> Backup your puppet master ssl directory, so you can just retry if >>> something didn't go as planned. >>> >>> # note all certificate alt names of the existing puppet master cert: >>> puppet cert -la | grep oldmaster >>> (alt names "DNS:puppet", "DNS:puppet-master", "DNS:puppet.mgmt", ) >>> ... >>> >>> # remove your old puppet master cert. >>> puppet cert -c oldmaster >>> >>> # search the ssl dir and it should not have any files with the oldmaster >>> certname >>> >>> # generate new master cert (same name as old one, but accept >>> new_hostname in dns_alt_names): >>> puppet cert -g oldmaster --dns_alt_names=new_hostname, >>> puppet,puppet-master,puppet.mgmt >>> >>> # you may need to copy the files to some locations if you found files >>> not removed after the cert clean step >>> >>> At this point you can add a host entry on one of your agents and test >>> via: >>> puppet agent -t --server new_hostname --noop >>> >>> You should not have to touch any client cert, that's only necessary if >>> you need to change your CA cert which is a pain when it expires. >>> >>> HTH, >>> >>> Nan >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit https://groups.google.com/d/ >>> msgid/puppet-users/CACqVBqCAUEdWujqa6UW%2BfzgJ1y3Db5bjGSOE8Qh5UU_ >>> ErqUhCw%40mail.gmail.com >>> <https://groups.google.com/d/msgid/puppet-users/CACqVBqCAUEdWujqa6UW%2BfzgJ1y3Db5bjGSOE8Qh5UU_ErqUhCw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/jLeuapo7n1c/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/e3813e2f-832e-4c61-bd97-367dc71f1d45%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/e3813e2f-832e-4c61-bd97-367dc71f1d45%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAFFwF1c%3DDPT9sz3h87sLzrW8n-N_2YCQ2vj_JhHP-Bxz7ddYCg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
