This is how to change the puppet master used by an agent node.
The agent needs to connect to a new master and get its config from that new master onward.
The steps below pertain to Puppet Enterprise agent 3.x.
To do this we basically need to do 3 things.
1- remove the old master SSL certificates from the agent filesystem.
go to the folder: /etc/puppetlabs/puppet under agent filesystem and remove the ssl folder or move it to a new name. then create an empty ssl folder.
2- on the same folder edit the config file puppet.conf
the main section should show the new puppet master hostname in the server tag:
[main]
server = mynewpuppetmaster.host.name
3- once the above is done, issue a puppet run using:
# puppet agent -t
This will trigger the puppet agent to create a new ssl certs and requests issued for the new puppet master and the cert request will automatically go to the new server.
On the server the request goes to /etc/puppetlabs/puppet/ssl/ca/requests.
you can list the outstanding requests using:
# puppet cert list
from the puppet enterprise web console you can accept the new cert request or you can do from the command line using:
# puppet cert sign mypuppetagent.host.name
One issue i saw while doing this was that the filesystem was 100% full and the cert requests to the master failed and never shown up in the console.
This happened because the request pem file was not able to be written to the requests directory on the master.
The error shown was like this when running:
# puppet cert list
Error: header too long
and also on the client side while running:
# puppet agent -t
Info: Caching certificate for ca
Error: Could not request certificate: Error 400 on SERVER: header too long
To fix this just simply ensure the filesystem used by puppet master is not 100% full.
The agent needs to connect to a new master and get its config from that new master onward.
The steps below pertain to Puppet Enterprise agent 3.x.
To do this we basically need to do 3 things.
1- remove the old master SSL certificates from the agent filesystem.
go to the folder: /etc/puppetlabs/puppet under agent filesystem and remove the ssl folder or move it to a new name. then create an empty ssl folder.
2- on the same folder edit the config file puppet.conf
the main section should show the new puppet master hostname in the server tag:
[main]
server = mynewpuppetmaster.host.name
3- once the above is done, issue a puppet run using:
# puppet agent -t
This will trigger the puppet agent to create a new ssl certs and requests issued for the new puppet master and the cert request will automatically go to the new server.
On the server the request goes to /etc/puppetlabs/puppet/ssl/ca/requests.
you can list the outstanding requests using:
# puppet cert list
from the puppet enterprise web console you can accept the new cert request or you can do from the command line using:
# puppet cert sign mypuppetagent.host.name
One issue i saw while doing this was that the filesystem was 100% full and the cert requests to the master failed and never shown up in the console.
This happened because the request pem file was not able to be written to the requests directory on the master.
The error shown was like this when running:
# puppet cert list
Error: header too long
and also on the client side while running:
# puppet agent -t
Info: Caching certificate for ca
Error: Could not request certificate: Error 400 on SERVER: header too long
To fix this just simply ensure the filesystem used by puppet master is not 100% full.
No comments:
Post a Comment