I’ve had to change a puppetmaster’s cert from time to time. (adding a new dns_alt_name, etc)… The steps are outlined on Pupetlabs’ Troubleshooting guide:
- Stop puppet master.
- Delete the puppet master’s certificate, private key, and public key:
$ sudo find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete
- Edit the certname setting in the puppet master’s /etc/puppet/puppet.conf file to match the puppet master’s actual hostname, and the dns_alt_names setting in that file to match any other DNS names you expect the master to need to respond to.
- Start a non-daemonized WEBrick puppet master instance, and wait for it to generate and sign a new certificate:
$ sudo puppet master --no-daemonize --verbose
You should stop the temporary puppet master with ctrl-C after you see the “notice: Starting Puppet master version …” message.
- Restart the puppet master.