Our configuration management is based on a multi-master puppetserver architecture.
Install a puppetserver
After a new puppetserver is installed it needs SSL-certificates which contains the puppetmaster name as an DNS-ALT name in addition to the nodes hostname. This certificate is not created automatically, so the following procedure has to be performed on the new puppetmaster and the puppetca.
Make sure the common DNS alt-name is configured
Verify that the DNS alt-name is configured
root@newpuppetmaster:~# grep alt /etc/puppetlabs/puppet/puppet.conf dns_alt_names = puppet.sky.rothaugane.com
Regenerate the masters certificate with the new altname included
Install puppetmaster certificate
root@newpuppetmaster:~# systemctl stop puppetserver root@newpuppetmaster:~# rm -r $(puppet master --configprint ssldir) root@puppetca:~# puppetserver ca clean --certname newpuppetmaster.fqdn.com root@newpuppetmaster:~# puppet agent --test --waitforcert 10 root@puppetca:~# puppetserver ca sign --certname newpuppetmaster.fqdn.com
Deploy environments from shiftleader
After a new puppetserver is successfully installed, remember to deploy puppet environments to it from shiftleader