Replace Puppet master

1
votes

I have Puppet master and Puppet agent, and the agent succeed to communicate with the master. Now I want to use other machine as my Puppet master. I create another Puppet master, called master-2, and run in the agent:

sudo puppet agent -t --server master-2

that cause to error:

certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: master-2]

I copied the folder /var/lib/puppet/ssl from master to master-2, and now the above command succeeded.

Is there a way to prevent an agent communication with the first master? How I can remove the first master certificates from the agent and add a new certificates of master-2?

2
puppet

2 Answers

2
votes

Create new clean master-2, and copy two files from master-2 to agent:

  1. Copy file "/var/lib/puppet/ssl/ca/ca_crt.pem" from master-2 to agent, and save it as "/var/lib/puppet/ssl/certs/ca.pem".
  2. Copy file "/var/lib/puppet/ssl/ca/ca_crl.pem" from master-2 to agent, ans save it as "/var/lib/puppet/ssl/crl.pem".

Delete old certificates in agent:

sudo find /var/lib/puppet/ssl -name <hostname>.pem -delete
0
votes

Step 1 : Edit your agent's puppet.conf and add the new puppet master details in the [agent] section like below

[agent]

server=

Step 2 (optional) : If you are not copying the masters ssl certificate folder (/var/lib/puppet/ssl) , your agnet will now try to contact the server master2 and request a new certificate .You can sign the new certificate in your CA server using puppet cert sign command