Regenerating your puppetmaster’s certificate

Penguins controlled by UnicornsI’ve had to change a puppetmaster’s cert from time to time. (adding a new dns_alt_name, etc)… The steps are outlined on Pupetlabs’ Troubleshooting guide:

  • Stop puppet master.
  • Delete the puppet master’s certificate, private key, and public key:
    $ sudo find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete
  • Edit the certname setting in the puppet master’s /etc/puppet/puppet.conf file to match the puppet master’s actual hostname, and the dns_alt_names setting in that file to match any other DNS names you expect the master to need to respond to.
  • Start a non-daemonized WEBrick puppet master instance, and wait for it to generate and sign a new certificate:
    $ sudo puppet master --no-daemonize --verbose

    You should stop the temporary puppet master with ctrl-C after you see the “notice: Starting Puppet master version …” message.

  • Restart the puppet master.