Our configuration management is based on a multi-master puppetserver architecture.
Install a puppetserver
After a new puppetserver is installed it needs SSL-certificates which contains the puppetmaster name as an DNS-ALT name in addition to the nodes hostname. This certificate is not created manually, so the following procedure has to be performed on the new puppetmaster and the puppetca.
Make sure the common DNS alt-name is configured
Verify that the DNS alt-name is configured
root@newpuppetmaster:~# grep alt /etc/puppetlabs/puppet/puppet.conf dns_alt_names = puppet.sky.rothaugane.com
Regenerate the masters certificate with the new altname included
Install puppetmaster certificate
root@newpuppetmaster:~# systemctl stop puppetserver root@newpuppetmaster:~# rm -r $(puppet master --configprint ssldir) root@puppetca:~# puppet cert clean newpuppetmaster.fqdn.com root@newpuppetmaster:~# puppet agent --test --waitforcert 10 root@puppetca:~# puppet cert sign newpuppetmaster.fqdn.com --allow-dns-alt-names