Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Puppet cert migration from 3.3 to 3.8
#Note: those with a gap between, run them individually (ie you may not want to copy multiple lines if there are spaces. Prompts will prevent subsequent lines from being pasted)
#Part 1 - Allow remote ssh commands to old puppet master
# comment out "Defaults requiretty" in /etc/sudoers on the 'old' puppet master to enable remote scripting. :)
#Part 2 follow this walkthrough: http://docs.puppetlabs.com/pe/latest/trouble_regenerate_certs_monolithic.html
#Walkthrough Step 1: Shut down all PE-related services
puppet resource service pe-puppet ensure=stopped
puppet resource service pe-puppetserver ensure=stopped
puppet resource service pe-activemq ensure=stopped
puppet resource service pe-mcollective ensure=stopped
puppet resource service pe-puppetdb ensure=stopped
puppet resource service pe-postgresql ensure=stopped
puppet resource service pe-console-services ensure=stopped
puppet resource service pe-httpd ensure=stopped
#Walkthrough Step 2: Delete and recreate the CA (modified to copy 'old' puppet master instead of creating a new CA)
rm -rf /etc/puppetlabs/puppet/ssl/*
rm -f /var/opt/lib/pe-puppet/client_data/catalog/`hostname -f`.json
# scp CA from other master
# !!EDIT THIS!! Should be the old puppet master fqdn
ssh bswift@puppet.domain.ca "cd /etc/puppetlabs/puppet; sudo tar cvpzf ~/ssl_export.tar ssl"
scp bswift@puppet.domain.ca:~/ssl_export.tar ~/ssl_export.tar
cd /etc/puppetlabs/puppet; tar -xvf ~/ssl_export.tar ssl
# Delete old master certs, and internal certs (not in walkthrough)
# puppet cert clean pe-internal-classifier #not required for puppet 3.3
puppet cert clean pe-internal-dashboard
puppet cert clean pe-internal-mcollective-servers
puppet cert clean pe-internal-peadmin-mcollective-client
puppet cert clean pe-internal-puppet-console-mcollective-client
# !!EDIT THIS!! This is the cert name that came from the other server.
puppet cert clean puppet.domain.ca
perl -p -i -e 'tr/A-Z/a-z/' /etc/hosts #because our domain is upper case.. d'oh.
#continuing with step 2.5 from the guide
puppet cert generate `hostname -f` --dns_alt_names==puppet,`hostname -f`
#step 6 on walkthrough
puppet cert generate pe-internal-classifier
puppet cert generate pe-internal-dashboard
puppet cert generate pe-internal-mcollective-servers
puppet cert generate pe-internal-peadmin-mcollective-client
puppet cert generate pe-internal-puppet-console-mcollective-client
unalias cp #root aliases it to 'cp -i' forcing interactive mode. lets disable that for this session!
yes | cp /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
chown -R pe-puppet:pe-puppet /etc/puppetlabs/puppet/ssl
#Walkthrough Step 3: Clear and Regenerate Certs for PuppetDB
rm -rf /etc/puppetlabs/puppetdb/ssl/*
yes | cp /etc/puppetlabs/puppet/ssl/certs/`hostname -f`.pem /etc/puppetlabs/puppetdb/ssl/`hostname -f`.cert.pem
yes | cp /etc/puppetlabs/puppet/ssl/public_keys/`hostname -f`.pem /etc/puppetlabs/puppetdb/ssl/`hostname -f`.public_key.pem
yes | cp /etc/puppetlabs/puppet/ssl/private_keys/`hostname -f`.pem /etc/puppetlabs/puppetdb/ssl/`hostname -f`.private_key.pem
chown -R pe-puppetdb:pe-puppetdb /etc/puppetlabs/puppetdb/ssl
rm -rf /opt/puppet/var/lib/pgsql/9.2/data/certs/*
yes | cp /etc/puppetlabs/puppet/ssl/certs/`hostname -f`.pem /opt/puppet/var/lib/pgsql/9.2/data/certs/`hostname -f`.cert.pem
yes | cp /etc/puppetlabs/puppet/ssl/public_keys/`hostname -f`.pem /opt/puppet/var/lib/pgsql/9.2/data/certs/`hostname -f`.public_key.pem
yes | cp /etc/puppetlabs/puppet/ssl/private_keys/`hostname -f`.pem /opt/puppet/var/lib/pgsql/9.2/data/certs/`hostname -f`.private_key.pem
chmod 400 /opt/puppet/var/lib/pgsql/9.2/data/certs/*
chown pe-postgres:pe-postgres /opt/puppet/var/lib/pgsql/9.2/data/certs/*
#Walkthrough Step 4: Clear and Regenerate Certs for the PE Console
rm -rf /opt/puppet/share/puppet-dashboard/certs/*
rm -rf /opt/puppet/share/console-services/certs/*
yes | cp /etc/puppetlabs/puppet/ssl/certs/pe-internal-classifier.pem /opt/puppet/share/console-services/certs/pe-internal-classifier.cert.pem
yes | cp /etc/puppetlabs/puppet/ssl/public_keys/pe-internal-classifier.pem /opt/puppet/share/console-services/certs/pe-internal-classifier.public_key.pem
yes | cp /etc/puppetlabs/puppet/ssl/private_keys/pe-internal-classifier.pem /opt/puppet/share/console-services/certs/pe-internal-classifier.private_key.pem
yes | cp /etc/puppetlabs/puppet/ssl/certs/`hostname -f`.pem /opt/puppet/share/console-services/certs/`hostname -f`.cert.pem
yes | cp /etc/puppetlabs/puppet/ssl/public_keys/`hostname -f`.pem /opt/puppet/share/console-services/certs/`hostname -f`.public_key.pem
yes | cp /etc/puppetlabs/puppet/ssl/private_keys/`hostname -f`.pem /opt/puppet/share/console-services/certs/`hostname -f`.private_key.pem
yes | cp /etc/puppetlabs/puppet/ssl/certs/pe-internal-dashboard.pem /opt/puppet/share/console-services/certs/pe-internal-dashboard.cert.pem
yes | cp /etc/puppetlabs/puppet/ssl/public_keys/pe-internal-dashboard.pem /opt/puppet/share/console-services/certs/pe-internal-dashboard.public_key.pem
yes | cp /etc/puppetlabs/puppet/ssl/private_keys/pe-internal-dashboard.pem /opt/puppet/share/console-services/certs/pe-internal-dashboard.private_key.pem
chown -R pe-console-services:pe-console-services /opt/puppet/share/console-services/certs
yes | cp /etc/puppetlabs/puppet/ssl/certs/`hostname -f`.pem /opt/puppet/share/puppet-dashboard/certs/`hostname -f`.cert.pem
yes | cp /etc/puppetlabs/puppet/ssl/public_keys/`hostname -f`.pem /opt/puppet/share/puppet-dashboard/certs/`hostname -f`.public_key.pem
yes | cp /etc/puppetlabs/puppet/ssl/private_keys/`hostname -f`.pem /opt/puppet/share/puppet-dashboard/certs/`hostname -f`.private_key.pem
yes | cp /etc/puppetlabs/puppet/ssl/certs/pe-internal-dashboard.pem /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.cert.pem
yes | cp /etc/puppetlabs/puppet/ssl/public_keys/pe-internal-dashboard.pem /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.public_key.pem
yes | cp /etc/puppetlabs/puppet/ssl/private_keys/pe-internal-dashboard.pem /opt/puppet/share/puppet-dashboard/certs/pe-internal-dashboard.private_key.pem
chown -R puppet-dashboard:puppet-dashboard /opt/puppet/share/puppet-dashboard/certs
# Walkthrough Step 5: Restart PE Services
puppet resource service pe-puppetserver ensure=running
puppet resource service pe-postgresql ensure=running
puppet resource service pe-puppetdb ensure=running
puppet resource service pe-console-services ensure=running
puppet resource service pe-httpd ensure=running
puppet resource service pe-activemq ensure=running
puppet resource service pe-mcollective ensure=running
puppet resource service pe-puppet ensure=running
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.