Re-issuing agent certs from a newer Puppet Master

[warron.french]

Hello again,

    I have a a few Puppet Agents on to which I installed the puppet-agent software from my first Puppetmaster1, however, something happened and I had to rebuild that server - for labelling purposes I am (in this email) calling it Puppetmaster2.

The puppet agents all have their certs signed by Puppetmaster1, but that server no longer exist and now I have Puppetmaster2 (still the same hostname actually).

How do I associate the puppet-agent nodes with the newer Puppetmaster2 server properly?

Do I execute an: rpm -e puppet-agent on all of the nodes, and then re-run the curl command to properly re-install and generate a new certificate from the newer Puppetmaster2 (puppetmaster)?

Do I just go onto each of the nodes and simply remove the ssl subdirectory and then re-run the: puppet agent -t command (which didn't seem fail, or show its certificate up on the Puppet Admin Console)?

Thanks for the help,

--------------------------
Warron French

[Andrew Grimberg]

On 06/01/2016 09:39 AM, warron.french wrote:
> Hello again,
> I have a a few Puppet Agents on to which I installed the
> puppet-agent software from my first Puppetmaster1, however, something
> happened and I had to rebuild that server - for labelling purposes I am
> (in this email) calling it Puppetmaster2.
>
> The puppet agents all have their certs signed by Puppetmaster1, but that
> server no longer exist and now I have Puppetmaster2 (still the same
> hostname actually).
>
>
> How do I associate the puppet-agent nodes with the newer Puppetmaster2
> server properly?
>

> Do I execute an: *rpm -e puppet-agent* on all of the nodes, and then
> re-run the *curl *command to properly re-install and generate a new

> certificate from the newer Puppetmaster2 (puppetmaster)?
>
> Do I just go onto each of the nodes and simply remove the ssl

> subdirectory and then re-run the: *puppet agent -t* command (which

> didn't seem fail, or show its certificate up on the Puppet Admin Console)?

Assuming that re-running 'puppet agent -t' would cause the systems to
look at your new puppet master then the following should be all you need
to do:

On the nodes, assuming an EL7 system and the latest puppet since you
said puppet-agent for your package:

--[cut]--
systemctl stop puppet
rm -rf /etc/puppetlabs/puppet/ssl/*
puppet agent -t --waitforcert 60
# assuming your current manifests don't force the agent to restart
systemctl start puppet
--[/cut]--

On the puppet master, accept the new node

-Andy-

[Rob Nelson]

If you run `puppet agent -t [--server <name>]` and there is a mismatch, it should provide directions to remedy the situation. In your case, wiping out the ssldir on the client should suffice.

Rob Nelson
rnel...@gmail.com

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAJdJdQmKtCk%3DqeSoDxZVyBw%2BuaCVDzLg%2B%3D7-b58hobm0GUOZGQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[warron.french]

Thanks to you both Rob and Andy.

--------------------------
Warron French

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAC76iT_1CTMxht8Hs3pDOG_89a9kq9-Eg--oY33zipTb%2Bz_yqg%40mail.gmail.com.