...
After restarting the puppetserver service you should be able to use commands like "puppetserver ca list --all".
Later, to create a client cert with the pp_cli_auth extension added (typically when you install a new CA), do the following:
| Code Block |
|---|
Install a new server with role::base
On new CA:
# systemctl stop puppet
# rm /etc/puppetlabs/puppet/ssl/certs/FQDN.pem /etc/puppetlabs/puppet/ssl/private_keys/FQDN.pem
On old CA:
# systemctl stop puppetserver
# puppetserver ca generate --ca-client --certname NEW-CA-FQDN --subject-alt-names cool.name.foo,cooler.name.foo
That command will tell you that it has some existing files. Delete all of thoses, and re-run the command
Finally:
Copy the generated /etc/puppetlabs/puppet/ssl/private_keys/NEW-CA-FQDN.pem to the same folder on the new CA, and re-run puppet on the new CA.
You should se something like this from "puppetserver ca list --all": (pp_cli_auth: true is the key part here)
puppetca3.infra.pile.it.ntnu.no (SHA256) 9C:22:1F:89:C4:C8:C3:BF:F9:59:64:2D:CA:5A:F8:A9:12:02:9C:3E:DB:3D:F7:BD:03:D1:15:F7:BC:6F:84:2E alt names: ["DNS:puppet.pile.it.ntnu.no", "DNS:puppetca.pile.it.ntnu.no", "DNS:puppetca3.infra.pile.it.ntnu.no"] authorization extensions: [pp_cli_auth: true]
|
Upgrading puppet-agent
To upgrade the puppet-agents in the infrastructure, add the following two keys to global hiera (and if you want, remove them from the puppetmaster node-files) and wait for two puppet-runs.
...