Ask Your Question

Puppet new puppetmaster from another master

asked 2013-05-08 10:33:02 -0600

alexbridge gravatar image

updated 2013-05-09 04:29:13 -0600

I'd like to be able to puppet a new puppetmaster (B) from an existing puppetmaster (A). Other machines would then be puppetted from (B), but I'd like (B) to carry on being puppetted by (A). This effectively means that (B) keeps it's client key from it's interaction with (A), but generates a new server key that it uses for all it's future interactions. Is it possible to keep the two keys separate?

Update 2013-05-09

I've updated my puppet.conf to include two certnames as suggested below:

    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig ...
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2013-05-16 16:50:11 -0600

Stefan gravatar image

I guess you'll have to specify a different ssldir (e.g. /var/lib/puppet/masterssl and /var/lib/puppet/agentssl) in both sections (you should be able to drop the certname setting in this case)

edit flag offensive delete link more

answered 2013-05-08 14:31:41 -0600

Ancillas gravatar image

Yes. You can define two separate keys in puppet.conf.

    certname =

    certname =

puppetmaster (A) would sign and puppetmaster (B) would sign, and all client keys that will be used with the puppetmaster (B) server.

edit flag offensive delete link more


This is a great answer, but I'm having problems getting puppetmaster (B) to sign When I try and start the puppetmaster on B, I get ...(more)

alexbridge gravatar imagealexbridge ( 2013-05-09 04:16:36 -0600 )edit

I guess you'll have to specify a different ssldir (e.g. /var/lib/puppet/masterssl and /var/lib/puppet/agentssl) in both sections (you should be able to drop ...(more)

Stefan gravatar imageStefan ( 2013-05-09 16:55:27 -0600 )edit

@Stefan yes that worked thank you. If you want to cut and paste your suggestion into an answer, I could mark it as accepted?

alexbridge gravatar imagealexbridge ( 2013-05-16 11:16:07 -0600 )edit

Since using different ssldirs was the answer, I removed my comment that suggested otherwise.

Ancillas gravatar imageAncillas ( 2013-05-16 15:16:01 -0600 )edit

Thank you @Ancillas

alexbridge gravatar imagealexbridge ( 2013-05-17 02:21:41 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2013-05-08 10:33:02 -0600

Seen: 201 times

Last updated: May 16 '13