Hi All,
Possibly a very simple thing I’m missing, but how do you renew the Puppet Master’s ssl certificate without breaking the client/master relationships?
A copy of the email to root that prompted this email is below
Cheers,
Jamie
################# SSL Certificate Warning ################
Certificate for hostname '<server>', in file (or by nickname):
/etc/pki/tls/certs/localhost.crt
The certificate needs to be renewed; this can be done
using the 'genkey' program.
Browsers will not be able to correctly connect to this
web site using SSL until the certificate is renewed.
##########################################################
Generated by certwatch(1)
Il 22/dic/2013 00:46 "Felix Frank" <Felix...@alumni.tu-berlin.de> ha scritto:
>
> Hi,
>
> signing a new master certificate should not be an issue, as long as it's
> signed using the same CA certificate as the old one (i.e., a CA that is
> trusted by all clients).
>
> When the CA certificate expires, it should be quite possible to add a
> new additional CA to the master and distribute it to all agents. I don't
> know how the puppet tool chain supports this, though.
>
In pki term this is called a Key Rollover. It is a standard ca practice.
Best regards
> Cheers,
> Felix
>
> On 12/11/2013 11:44 PM, Reid, Jamie wrote:
> > Hi All,
> >
> >
> >
> > Possibly a very simple thing I’m missing, but how do you renew the
> > Puppet Master’s ssl certificate without breaking the client/master
> > relationships?
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52B62866.7080706%40Alumni.TU-Berlin.de.
> For more options, visit https://groups.google.com/groups/opt_out.