Puppet relies on SSL certificates on both clients and servers for authentication. These certificates are handled by the puppetca.
Architecture
As the CA role has to be centralized, the architecture here is simply one single server. We use the role "role::puppet::ca" for our puppetca machines, which basicly is the same as "role::puppet::server" except for the loadbalancer backend registration.
Hiera decides which machine should serve as the puppetca trough the key "profile::puppet::caserver".
Backups
As we are only having a single puppetca machine, it is important to take backup of its files. Specifically we want to backup the certificate directories so that we have everything we need if we should install a new puppetca.
The active puppetca is equipped with a cronjob which copies its "/etc/puppetlabs/puppet/ssl/ca" directory to all the other puppetmasters in the folder "/var/opt/puppet/hostname/ca".
Installing a new puppetca
To install a new puppetca machine we first installs the machine with a the role "role::puppet::ca". There are no problems having more than one machine with this role; only one of them are used by agents anyway.
The CA need to have some specific auth-extensions in its cert; which is set up like so:
On new CA: # systemctl stop puppet # rm /etc/puppetlabs/puppet/ssl/certs/FQDN.pem /etc/puppetlabs/puppet/ssl/private_keys/FQDN.pem On old CA: # systemctl stop puppetserver # puppetserver ca generate --ca-client --certname NEW-CA-FQDN --subject-alt-names cool.name.foo,cooler.name.foo That command will tell you that it has some existing files. Delete all of thoses, and re-run the command Finally: Copy the generated /etc/puppetlabs/puppet/ssl/private_keys/NEW-CA-FQDN.pem to the same folder on the new CA, and re-run puppet on the new CA. You should se something like this from "puppetserver ca list --all": (pp_cli_auth: true is the key part here) puppetca3.infra.pile.it.ntnu.no (SHA256) 9C:22:1F:89:C4:C8:C3:BF:F9:59:64:2D:CA:5A:F8:A9:12:02:9C:3E:DB:3D:F7:BD:03:D1:15:F7:BC:6F:84:2E alt names: ["DNS:puppet.pile.it.ntnu.no", "DNS:puppetca.pile.it.ntnu.no", "DNS:puppetca3.infra.pile.it.ntnu.no"] authorization extensions: [pp_cli_auth: true]
After the machine is installed you should copy the ca folder from the current puppetca machine (/etc/puppetlabs/puppet/ssl/ca) to the new machine (or restore the most recent backup if the old puppetca machine is not available). Then the hiera key "profile::puppet::caserver" can be updated to contain the hostname of the new puppetca.
When all machines are configured to use the new puppetca, the old one can be decommissioned. The ca role will however be turned off at this machine as soon as a puppet agent runs on it, as the "profile::puppet::caserver" doesn't contain its hostname anymore.