1.2 KiB
1.2 KiB
add additional master
these steps are required when adding additional puppet masters, as the subject alternative names on the certificate will need to be changed. this requires the old certificate be revoked, cleaned up, and for a new certificate to be generated and signed.
prepare a new node
- deploy a new now, or identify a space with the base role
- change the hosts class to roles::infra::puppet::master
- apply puppet until there are no more changes
revoke the current certificate on the puppet master
sudo puppetserver ca clean --certname ausyd1nxvm1023.main.unkin.net
stop the new puppetserver and cleanup revoked certificates
sudo systemctl stop puppetserver
sudo rm -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
sudo rm -f /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem
copy the current crl.pem, as puppetserver will overwrite it when starting
sudo cp /etc/puppetlabs/puppet/ssl/crl.pem /root/current_crl.pem
request new puppet agent certificate
sudo puppet ssl bootstrap
start the puppetserver service and move the crl.pem back in place
sudo systemctl start puppetserver
sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem