Jason Antman
2009-Jun-10 16:16 UTC
[Puppet Users] Moving to new puppetmaster - certificates
Unfortunately I haven''t been able to find anything in the docs... I just built a new puppetmaster to replace my testing install on an old box. The hostname is different, and obviously the master certificates are different. What needs to be done to the clients to get them to play nice with the new box? Thanks, Jason Antman --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
lance dillon
2009-Jun-10 17:49 UTC
[Puppet Users] Re: Moving to new puppetmaster - certificates
On Wed, Jun 10, 2009 at 12:16 PM, Jason Antman <jason@jasonantman.com>wrote:> > Unfortunately I haven''t been able to find anything in the docs... > > I just built a new puppetmaster to replace my testing install on an old > box. The hostname is different, and obviously the master certificates > are different. What needs to be done to the clients to get them to play > nice with the new box? > > Thanks, > Jason Antman >I ended up deleting /var/lib/puppet/ssl, and rerunning puppet. You have to sign new certs on the new machine, of course. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Paul Lathrop
2009-Jun-10 19:31 UTC
[Puppet Users] Re: Moving to new puppetmaster - certificates
On Wed, Jun 10, 2009 at 9:16 AM, Jason Antman <jason@jasonantman.com> wrote:> > Unfortunately I haven''t been able to find anything in the docs... > > I just built a new puppetmaster to replace my testing install on an old > box. The hostname is different, and obviously the master certificates > are different. What needs to be done to the clients to get them to play > nice with the new box?The way I''ve done this is: 1) Stop puppetd and puppetmasterd on the new box. 2) Delete /var/lib/puppet/ssl on the new box. 3) copy /var/lib/puppet/ssl from the old box to the new box. 4) Start puppetmasterd on the new box. 5) Start puppetd on the new box. You may have to tweak the order as I''m going from memory. The basic idea is that you need to have the CA cert from the old box in place before the daemons create the host certificate. This makes sure the new host certificate is signed by the same CA, and should allow existing clients to connect w/o problems. I think I also needed to tweak the certdnsnames parameter. Sorry this isn''t more coherent. Next time I do it, I''ll make a wiki page. Hopefully this puts you on the right track at least. --Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---