4

I've just had 5 new servers provisioned to replace existing servers. The current servers are all setup web1.domain.com etc and use puppet to manage configuration. I want to setup the new servers to replace the old with the same hostnames, but it seems puppet has a problem with this as the private ssl keys differ between the 2 "web1" servers.

What is the easiest way to upgrade these hosts? The only way I can see at the moment is to remove /var/lib/puppet/ssl/ca/.pem on the server and add a new signing request from the new host. The old host will then not be able to connect to my puppetmaster.

1 Answer 1

6

You can use puppet cert clean to remove the old host's certificate from the master, allowing the new host to get a signed cert.. but this will break the old host's subsequent puppet runs.

Another option is the allow_duplicate_certs option in puppet.conf, but instead of allowing the two nodes to coexist, it allows an automatic overwrite of the old host's cert when the new one is signed.

The only way to allow them to both continue doing puppet runs successfully would be to have them use the same certificate - you'd need to manually copy the certificate and private key from one to the other.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .