Puppet on puppetmaster, some tips

We often run a puppet on the puppetmaster which connects to the local puppetmaster. In the past, I’ve run into some problems, so I thought it best to write down a couple of tips to keep in mind when setting this up. These helped me out in the past:

  • Have a separate SSL dir for the puppetmaster and the client. The following snippet shows how to do that:
    [puppetd]
    ssldir = /var/lib/puppet/ssl
    
    [puppetmasterd]
    ssldir = /var/lib/puppet-server/ssl
    
    [puppetca]
    ssldir = /var/lib/puppet-server/ssl

    The addition to puppetca is needed because it needs to know where to sign the certificates. Of course, if you run 2.6 or higher, you need to replace puppetd with agent, puppetmasterd with mast and puppetca with… ca I think.

  • Explicitely set the certname and the certdnsnames for the puppetmaster, as follows:
    [puppetmasterd]
    certname = puppet
    certdnsnames = puppet.my.domain

That’s it. Hope it helps someone. You’re going to need to remove all old ssl dirs after you changed this and regenerate the certificates.

Tags: , ,


Leave a Reply