...
Hiera decides which machine should serve as the puppetca trough the key "profile::puppet::caserver".
Backups
As we are only having a single puppetca machine, it is important to take backup of its files. Specifically we want to backup the certificate directories so that we have everything we need if we should install a new puppetca.
The active puppetca is equipped with a cronjob which copies its "/etc/puppetlabs/puppet/ssl/ca" directory to all the other puppetmasters in the folder "/var/opt/puppet/hostname/ca".
Status | ||||
---|---|---|---|---|
|
Installing a new puppetca
To install a new puppetca machine we first installs the machine with a the role "role::puppet::ca". There are no problems having more than one machine with this role; only one of them are used by agents anyway.
The CA need to have some specific auth-extensions in its cert; which is set up like so:
Code Block |
---|
On new CA:
# systemctl stop puppet
# rm /etc/puppetlabs/puppet/ssl/certs/FQDN.pem /etc/puppetlabs/puppet/ssl/private_keys/FQDN.pem
On old CA:
# systemctl stop puppetserver
# puppetserver ca generate --ca-client --certname NEW-CA-FQDN --subject-alt-names cool.name.foo,cooler.name.foo
That command will tell you that it has some existing files. Delete all of thoses, and re-run the command
Finally:
Copy the generated /etc/puppetlabs/puppet/ssl/private_keys/NEW-CA-FQDN.pem to the same folder on the new CA, and re-run puppet on the new CA.
You should se something like this from "puppetserver ca list --all": (pp_cli_auth: true is the key part here)
puppetca3.infra.pile.it.ntnu.no (SHA256) 9C:22:1F:89:C4:C8:C3:BF:F9:59:64:2D:CA:5A:F8:A9:12:02:9C:3E:DB:3D:F7:BD:03:D1:15:F7:BC:6F:84:2E alt names: ["DNS:puppet.pile.it.ntnu.no", "DNS:puppetca.pile.it.ntnu.no", "DNS:puppetca3.infra.pile.it.ntnu.no"] authorization extensions: [pp_cli_auth: true] |
After the machine is installed you should copy the ca folder from the current puppetca machine (/etc/puppetlabs/puppet/ssl/ca) to the new machine (or restore the most recent backup if the old puppetca machine is not available). Then the hiera key "profile::puppet::caserver" can be updated to contain the hostname of the new puppetca.
...