...
To install a new puppetca machine we first installs the machine with a the role "role::puppet::ca". There are no problems having more than one machine with this role; only one of them are used by agents anyway.
The CA need to have some specific auth-extensions in its cert; which is set up like so:
| Code Block |
|---|
On new CA:
# systemctl stop puppet
# rm /etc/puppetlabs/puppet/ssl/certs/FQDN.pem /etc/puppetlabs/puppet/ssl/private_keys/FQDN.pem
On old CA:
# systemctl stop puppetserver
# puppetserver ca generate --ca-client --certname NEW-CA-FQDN --subject-alt-names cool.name.foo,cooler.name.foo
That command will tell you that it has some existing files. Delete all of thoses, and re-run the command
Finally:
Copy the generated /etc/puppetlabs/puppet/ssl/private_keys/NEW-CA-FQDN.pem to the same folder on the new CA, and re-run puppet on the new CA.
You should se something like this from "puppetserver ca list --all": (pp_cli_auth: true is the key part here)
puppetca3.infra.pile.it.ntnu.no (SHA256) 9C:22:1F:89:C4:C8:C3:BF:F9:59:64:2D:CA:5A:F8:A9:12:02:9C:3E:DB:3D:F7:BD:03:D1:15:F7:BC:6F:84:2E alt names: ["DNS:puppet.pile.it.ntnu.no", "DNS:puppetca.pile.it.ntnu.no", "DNS:puppetca3.infra.pile.it.ntnu.no"] authorization extensions: [pp_cli_auth: true] |
After the machine is installed you should copy the ca folder from the current puppetca machine (/etc/puppetlabs/puppet/ssl/ca) to the new machine (or restore the most recent backup if the old puppetca machine is not available). Then the hiera key "profile::puppet::caserver" can be updated to contain the hostname of the new puppetca.
...