Don Jackson
2008-Dec-11 00:06 UTC
[Puppet Users] how to move certs from one puppetmaster to another, and new server has different hostname?
Hi, I''ve learned how to generate client certs on the master, and distribute them to the client machine as part of the OS install process, and added my learnings to the wiki, see: startup questions - Puppet Users | Google Groups and Certificates And Security - puppet - Trac Now, I need to figure out how to build a new puppetmaster, and transfer all the certs from the previous puppetmaster to the new one. The server that the new puppetmaster runs on will have a different hostname than the old puppetmaster server. Is this possible? How can I prevent the first puppetmaster from encoding its hostname in the certs? I just want the puppetmaster and clients to think they are talking to puppet@FQDN, and I''ll make sure there is a CNAME in my DNS so that this resolves to whatever machine is running the puppetmaster. What are the important files to transfer in /etc/puppet/ca ? FYI, I am using version 0.24.4 Any advice appreciated.... Don --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Jeff Leggett
2008-Dec-11 14:51 UTC
[Puppet Users] Re: how to move certs from one puppetmaster to another, and new server has different hostname?
You will have to re-sign them.. that''s kind of central to the idea of a CA. Also, can you LINK your wiki pages above? On Dec 10, 7:06 pm, Don Jackson <puppet-us...@clark- communications.com> wrote:> Hi, > > I''ve learned how to generate client certs on the master, and > distribute them to the client machine as part of the OS install > process, and added my learnings to the wiki, > see: > > startup questions - Puppet Users | Google Groups > and > Certificates And Security - puppet - Trac > > Now, I need to figure out how to build a new puppetmaster, and > transfer all the certs from the previous puppetmaster to the new one. > The server that the new puppetmaster runs on will have a different > hostname than the old puppetmaster server. > > Is this possible? > > How can I prevent the first puppetmaster from encoding its hostname in > the certs? I just want the puppetmaster and clients to > think they are talking to puppet@FQDN, and I''ll make sure there is a > CNAME in my DNS so that this resolves to whatever machine is running > the puppetmaster. > > What are the important files to transfer in /etc/puppet/ca ? > > FYI, I am using version 0.24.4 > > Any advice appreciated.... > > Don--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---