Hey all, I need to move my puppet master to a different host with a different hostname. Is there a fancy way to do this that doesn''t involve manually going to each client and cleaning the certificates? Thanks, --Jay -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Oct 28, 2010 at 5:41 PM, Jay Adkisson <j4yferd@gmail.com> wrote:> Hey all, > > I need to move my puppet master to a different host with a different > hostname. Is there a fancy way to do this that doesn''t involve manually > going to each client and cleaning the certificates? >the only thing you need to move is the ca directory. ssldir/ca then you can regenerate a new master SSL certificate from that CA. As long as the certificate is signed by the same CA which the clients already trust it will work without having to touch the clients.> Thanks, > --Jay > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Oct 29, 2010 at 08:48:22AM -0700, Dan Bode wrote:> On Thu, Oct 28, 2010 at 5:41 PM, Jay Adkisson <j4yferd@gmail.com> wrote: > > > Hey all, > > > > I need to move my puppet master to a different host with a different > > hostname. Is there a fancy way to do this that doesn''t involve manually > > going to each client and cleaning the certificates? > > > > the only thing you need to move is the ca directory. > > ssldir/ca > > then you can regenerate a new master SSL certificate from that CA. As long > as the certificate is signed by the same CA which the clients already trust > it will work without having to touch the clients.If you were careful when creating the original certificate, you won''t even have to generate a new cert. I always give the puppetmaster in any domain a CNAME or A record of puppet.<insert domain name here>, whatever it''s own name. I then set certname and certdnsnames in the puppetmaster config and start it up - a certificate with the right CN will be created. -- Bruce Get thee behind me, Stan: for it is written, thou hast gotten me into another fine mess. -- Oliver 4:8 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Awesome, thanks guys. I think this time I''ll have to move the ca directory and generate the new cert, but since we do have an alias of "puppet" which I''m going to switch over, I''ll definitely look into using those "certname" and "certdnsnames" options. Thanks! Peace, --Jay On Fri, Oct 29, 2010 at 10:08 AM, Bruce Richardson <itsbruce@workshy.org>wrote:> On Fri, Oct 29, 2010 at 08:48:22AM -0700, Dan Bode wrote: > > On Thu, Oct 28, 2010 at 5:41 PM, Jay Adkisson <j4yferd@gmail.com> wrote: > > > > > Hey all, > > > > > > I need to move my puppet master to a different host with a different > > > hostname. Is there a fancy way to do this that doesn''t involve > manually > > > going to each client and cleaning the certificates? > > > > > > > the only thing you need to move is the ca directory. > > > > ssldir/ca > > > > then you can regenerate a new master SSL certificate from that CA. As > long > > as the certificate is signed by the same CA which the clients already > trust > > it will work without having to touch the clients. > > If you were careful when creating the original certificate, you won''t > even have to generate a new cert. I always give the puppetmaster in any > domain a CNAME or A record of puppet.<insert domain name here>, whatever > it''s own name. I then set certname and certdnsnames in the puppetmaster > config and start it up - a certificate with the right CN will be created. > > > -- > Bruce > > Get thee behind me, Stan: for it is written, thou hast gotten me into > another fine mess. -- Oliver 4:8 > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.