Ask Your Question
3

How to migrate CA certificates to new master?

asked 2013-07-17 15:30:04 -0500

stormmaster gravatar image

We want to move our certificates to a new master so we can end of life the old masters. Does anyone have documentation on best practices. We were thinking we could just spin up new masters and tell the agents to talk to the new ones but not sure best way to tackle.

edit retag flag offensive close merge delete

5 Answers

Sort by ยป oldest newest most voted
5

answered 2013-07-18 03:45:23 -0500

gh gravatar image

On the new system, ensure you have the following the puppet.conf in the [main] section.

ca = true

Given the host names are the same, you can just copy the ssl dir.

SSLDIR=$(puppet config print ssldir)
rsync -avp ${SSLDIR}/ new_puppet_ca:${SSLDIR}/

Recommend using a CNAME for puppetca that points to your CA system. In your puppet.conf you would have the following in the [agent] section.

ca_server = puppetca.example.com 

You could also get around this by setting autosign = true on the master. Then remove the ssldir on all your agents and when they connect to the new system ... (more)

edit flag offensive delete link more

Comments

If the hostnames are different can we still copy the SSLDIR? (i.e. OldCAName to NewCAName

stormmaster gravatar imagestormmaster ( 2013-07-18 09:41:56 -0500 )edit

No. If you change your CA's hostname, then you need to generate a new CA cert. If you generate a new CA cert, you need to generate new client ...(more)

Ancillas gravatar imageAncillas ( 2013-07-18 12:01:32 -0500 )edit

I'm planning to build a new puppetmaster soon, so What do you mean by "subject alternative names", is there a guide anywhere that explains how to set this subject alternative name up?

schowdhury gravatar imageschowdhury ( 2016-04-23 04:12:16 -0500 )edit
schowdhury gravatar imageschowdhury ( 2016-04-23 04:28:16 -0500 )edit
2

answered 2013-07-18 12:21:32 -0500

Ancillas gravatar image

Here's the flow I'd use.

  1. Have the new master ready to go from a configuration perspective. This doesn't include any of the old client certs, just new CA and master certs.
  2. Temporarily enable auto-signing for servers in your domain. http://docs.puppetlabs.com/guides/configuring.html#autosignconf
  3. Use a script, or some other orchestration process to upgrade the Puppet version one client at a time. That script will also change the puppet.conf configuration to point at the new master, and remove the existing puppet ssl directory. The new version of puppet will connect to the master ...
(more)
edit flag offensive delete link more
0

answered 2014-02-27 09:55:05 -0500

louis gravatar image

This is what I had to do in order to move the SSL certificates (100 of them) to a new puppet master server with a different hostname.

  1. stop agent, master and puppetdb [/sbin/service pe-httpd pe-puppet pe-puppetdb stop ]
  2. clean the new puppet master generated certificate (puppet cert clean <new_puppet_master_hostname>)</new_puppet_master_hostname>
  3. create your bash script using Garrett Honeycutt solution above... (rsync ...)
  4. execute puppet master --no-daemonize --debug
  5. rebuild puppetdb certificate sudo /opt/puppet/sbin/puppetdb-ssl-setup -f
  6. start your puppetdb, master and agent services.

Check this link for more troubleshooting http://www.slideshare.net/PuppetLabs/puppet-conf-slides-25547169

edit flag offensive delete link more
0

answered 2015-04-29 09:54:57 -0500

Avi gravatar image

Incase I do keep naming convention and everything, beside copying the modules directory and the entire SSL directory , is there's something else? Any restart to any services on the puppet master?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

4 followers

Stats

Asked: 2013-07-17 15:30:04 -0500

Seen: 4,023 times

Last updated: Feb 27 '14