Change Hostname on Puppet Master
5,472 views
Skip to first unread message
Danny Roberts
Aug 5, 2014, 10:45:54 AM8/5/14
to puppet...@googlegroups.com
We have a requirement to change the Host name of our Puppet Master (not a great idea but sadly out of my control). I could not find any documentation on this subject, does nayone know the process for doing something like this?
Or would it need to be a complete rebuild then re-import of our Puppet code?
Or would it need to be a complete rebuild then re-import of our Puppet code?
Gabriel Filion
Aug 5, 2014, 1:12:32 PM8/5/14
to puppet...@googlegroups.com
Hey there,
I did this some time ago and ended using the "stupid" method. So if
there's a better way than what I'll describe, please someone step in.
What really matters when you rename your master is your master SSL
certificate. Clients will be verifying if the puppet master's hostname
matches the one advertised by the certificate.
So when I changed the hostname, I had to create a new certificate for
the master, and then recreate certificates for clients and
"re-registering" all clients to the master. e.g.:
on all clients:
* wipe out /var/lib/puppet/ssl
* run puppet agent -t --waitforcert 10
* on master, sign client certificate
this was very time-consuming though.
now if my imagination is not too far off from reality, there might be a
way to tweek your master certificate so that it has more corresponding
hostnames (think certificate for a web server that matches multiple
domains). it might not be applicable though :\
--
Gabriel Filion
there's a better way than what I'll describe, please someone step in.
What really matters when you rename your master is your master SSL
certificate. Clients will be verifying if the puppet master's hostname
matches the one advertised by the certificate.
So when I changed the hostname, I had to create a new certificate for
the master, and then recreate certificates for clients and
"re-registering" all clients to the master. e.g.:
on all clients:
* wipe out /var/lib/puppet/ssl
* run puppet agent -t --waitforcert 10
* on master, sign client certificate
this was very time-consuming though.
now if my imagination is not too far off from reality, there might be a
way to tweek your master certificate so that it has more corresponding
hostnames (think certificate for a web server that matches multiple
domains). it might not be applicable though :\
--
Gabriel Filion
Juan Sierra Pons
Aug 5, 2014, 1:23:20 PM8/5/14
to puppet...@googlegroups.com
Hi,
Disclaimer: I haven't tested it yet
>on all clients:
> * wipe out /var/lib/puppet/ssl
> * run puppet agent -t --waitforcert 10
> * on master, sign client certificate
If you have mcollective configured you can use [1] mco-removecert tool
in order to simplify the client part:
#!/bin/sh
sslpath="/var/puppet/ssl"
host=$1
mco service -I $host puppet restart | grep "errors" && exit 1
sleep 30 && mco service -I $host puppet stop
echo "$sslpath/certs/ca.pem"
mco filemgr -q -I $host --file $sslpath/certs/ca.pem remove
echo "$sslpath/certs/$host.pem"
mco filemgr -q -I $host --file $sslpath/certs/$host.pem remove
echo "$sslpath/certificate_requiests/$host.pem"
mco filemgr -q -I $host --file $sslpath/certificate_requests/$host.pem remove
echo "$sslpath/crl.pem"
mco filemgr -q -I $host --file $sslpath/crl.pem remove
echo "$sslpath/private_keys/$host.pem"
mco filemgr -q -I $host --file $sslpath/private_keys/$host.pem remove
echo "$sslpath/public_keys/$host.pem"
mco filemgr -q -I $host --file $sslpath/public_keys/$host.pem remove
mco service -I $host puppet start
It should do the dirty job for you :)
[1] https://gist.github.com/lofidellity/1205953
Best regards
--------------------------------------------------------------------------------------
Juan Sierra Pons ju...@elsotanillo.net
Linux User Registered: #257202
Web: http://www.elsotanillo.net Git: http://www.github.com/juasiepo
GPG key = 0xA110F4FE
Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE
--------------------------------------------------------------------------------------
Disclaimer: I haven't tested it yet
>on all clients:
> * wipe out /var/lib/puppet/ssl
> * run puppet agent -t --waitforcert 10
> * on master, sign client certificate
in order to simplify the client part:
#!/bin/sh
sslpath="/var/puppet/ssl"
host=$1
mco service -I $host puppet restart | grep "errors" && exit 1
sleep 30 && mco service -I $host puppet stop
echo "$sslpath/certs/ca.pem"
mco filemgr -q -I $host --file $sslpath/certs/ca.pem remove
echo "$sslpath/certs/$host.pem"
mco filemgr -q -I $host --file $sslpath/certs/$host.pem remove
echo "$sslpath/certificate_requiests/$host.pem"
mco filemgr -q -I $host --file $sslpath/certificate_requests/$host.pem remove
echo "$sslpath/crl.pem"
mco filemgr -q -I $host --file $sslpath/crl.pem remove
echo "$sslpath/private_keys/$host.pem"
mco filemgr -q -I $host --file $sslpath/private_keys/$host.pem remove
echo "$sslpath/public_keys/$host.pem"
mco filemgr -q -I $host --file $sslpath/public_keys/$host.pem remove
mco service -I $host puppet start
It should do the dirty job for you :)
[1] https://gist.github.com/lofidellity/1205953
Best regards
--------------------------------------------------------------------------------------
Juan Sierra Pons ju...@elsotanillo.net
Linux User Registered: #257202
Web: http://www.elsotanillo.net Git: http://www.github.com/juasiepo
GPG key = 0xA110F4FE
Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE
--------------------------------------------------------------------------------------
Nan Liu
Aug 5, 2014, 1:29:39 PM8/5/14
to puppet...@googlegroups.com
On Tue, Aug 5, 2014 at 10:11 AM, Gabriel Filion <gab...@lelutin.ca> wrote:
Hey there,
I did this some time ago and ended using the "stupid" method. So if
On 05/08/14 10:45 AM, Danny Roberts wrote:
> We have a requirement to change the Host name of our Puppet Master (not
> a great idea but sadly out of my control). I could not find any
> documentation on this subject, does nayone know the process for doing
> something like this?
>
> Or would it need to be a complete rebuild then re-import of our Puppet code?
there's a better way than what I'll describe, please someone step in.
What really matters when you rename your master is your master SSL
certificate. Clients will be verifying if the puppet master's hostname
matches the one advertised by the certificate.
So when I changed the hostname, I had to create a new certificate for
the master, and then recreate certificates for clients and
"re-registering" all clients to the master. e.g.:
on all clients:
* wipe out /var/lib/puppet/ssl
* run puppet agent -t --waitforcert 10
* on master, sign client certificate
this was very time-consuming though.
Please don't resign all client certificates. All you need to do is recreate a puppet master certificate with dns alt name accepting both the old and new puppet master hostname. Because passenger and other configuration may already refer to the existing pem file name, it's easier to just add the new hostname to the dns_alt_names accept list:
Backup your puppet master ssl directory, so you can just retry if something didn't go as planned.
# note all certificate alt names of the existing puppet master cert:
puppet cert -la | grep oldmaster
(alt names "DNS:puppet", "DNS:puppet-master", "DNS:puppet.mgmt", )
...
# remove your old puppet master cert.
puppet cert -c oldmaster
Backup your puppet master ssl directory, so you can just retry if something didn't go as planned.
# note all certificate alt names of the existing puppet master cert:
puppet cert -la | grep oldmaster
(alt names "DNS:puppet", "DNS:puppet-master", "DNS:puppet.mgmt", )
...
# remove your old puppet master cert.
puppet cert -c oldmaster
# search the ssl dir and it should not have any files with the oldmaster certname
# generate new master cert (same name as old one, but accept new_hostname in dns_alt_names):
puppet cert -g oldmaster --dns_alt_names=new_hostname,puppet,puppet-master,puppet.mgmt
# generate new master cert (same name as old one, but accept new_hostname in dns_alt_names):
puppet cert -g oldmaster --dns_alt_names=new_hostname,puppet,puppet-master,puppet.mgmt
# you may need to copy the files to some locations if you found files not removed after the cert clean step
At this point you can add a host entry on one of your agents and test via:
puppet agent -t --server new_hostname --noop
You should not have to touch any client cert, that's only necessary if you need to change your CA cert which is a pain when it expires.
HTH,
Nan
José Luis Ledesma
Aug 5, 2014, 4:40:38 PM8/5/14
to puppet...@googlegroups.com
+1
You don't need to re-register all clients. Just generate a new cert for the master with both old and new name and sign in.
Regards
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACqVBqCAUEdWujqa6UW%2BfzgJ1y3Db5bjGSOE8Qh5UU_ErqUhCw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Gabriel Filion
Aug 5, 2014, 5:23:54 PM8/5/14
to puppet...@googlegroups.com
On 05/08/14 01:28 PM, Nan Liu wrote:
> Please don't resign all client certificates. All you need to do is
> recreate a puppet master certificate with dns alt name accepting both
> the old and new puppet master hostname. Because passenger and other
> configuration may already refer to the existing pem file name, it's
> easier to just add the new hostname to the dns_alt_names accept list
ah, thanks a lot for this. I was sure there was a more clever way to do
> Please don't resign all client certificates. All you need to do is
> recreate a puppet master certificate with dns alt name accepting both
> the old and new puppet master hostname. Because passenger and other
> configuration may already refer to the existing pem file name, it's
> easier to just add the new hostname to the dns_alt_names accept list
this :)
--
Gabriel Filion
Juan Sierra Pons
Aug 6, 2014, 3:29:41 AM8/6/14
to puppet...@googlegroups.com
I didn't know it either. :)
This drive me to ask a related question: Can the same approach be used
when the certificate expires?
I suppose the answer is yes but I haven't got the opportunity to try it
Thank you
Jake Lundberg
Aug 6, 2014, 12:12:59 PM8/6/14
to puppet...@googlegroups.com
Do you even need to do this? Can't you just use the certname configuration variable on the puppetmaster and just set it to the old name?
Jake Lundberg
Aug 6, 2014, 12:15:37 PM8/6/14
to puppet...@googlegroups.com
Actually, disregard, I'm thinking of the client side.
--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/jLeuapo7n1c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e3813e2f-832e-4c61-bd97-367dc71f1d45%40googlegroups.com.
Nan Liu
Aug 6, 2014, 4:33:32 PM8/6/14
to puppet...@googlegroups.com
On Wed, Aug 6, 2014 at 12:28 AM, Juan Sierra Pons <ju...@elsotanillo.net> wrote:
2014-08-05 23:23 GMT+02:00 Gabriel Filion <gab...@lelutin.ca>:
Hi,> On 05/08/14 01:28 PM, Nan Liu wrote:
>> Please don't resign all client certificates. All you need to do is
>> recreate a puppet master certificate with dns alt name accepting both
>> the old and new puppet master hostname. Because passenger and other
>> configuration may already refer to the existing pem file name, it's
>> easier to just add the new hostname to the dns_alt_names accept list
>
> ah, thanks a lot for this. I was sure there was a more clever way to do
> this :)
>
> --
> Gabriel Filion
>
I didn't know it either. :)
This drive me to ask a related question: Can the same approach be used
when the certificate expires?
Sure. Should work the same.
Nan
Reply all
Reply to author
Forward
0 new messages