How to create a Puppet certificate with multiple DNS names

By   09-01-2016 · 1 minute read · 213 words


If you are running Puppet in an environment that leverages multiple DNS records for the master possibly related to a DNS naming schema then you’ll likely run into an issue where the agent will complain that the master’s certificate does not match the actual hostname.

When a Puppet master is initially configured, it will use the hostname derived from the system by default. In order to support multiple hostnames on the certicate you’ll need to regenerate the cert.

If you are running puppet 4, the certs will be located in:

/etc/puppetlabs/puppet/ssl

Before doing anything, it’s recommended you make a backup of the ssl directory.

Then stop the puppetserver service.

sudo service puppetserver stop

From there we can locate all the existing server certs and remove them.

sudo find . -name "puppet.localdomain.pem" -exec rm -rf {} \;

Replace puppet.localdomain.pem with your hostname.

From there we can regenerate the new certs with multiple names.

sudo /opt/puppetlabs/bin/puppet cert generate puppetserver.localdomain --dns_alt_names=puppet.localdomain,puppet.lab.localdomain

Next check if your new certs are present. I just issue a find command to validate.

$find . -name puppetserver.localdomain.pem
./certs/puppetserver.localdomain.pem
./public_keys/puppetserver.localdomain.pem
./private_keys/puppetserver.localdomain.pem
./ca/signed/puppetserver.localdomain.pem

Check to see if the puppetserver will start after replacing.

sudo service puppetserver start

If it starts then you can invoke puppet agent runs and the hostname mismatches will be gone.

puppet  

comments powered by Disqus