Puppet on puppetmaster, some tips

We often run a puppet on the puppetmaster which connects to the local puppetmaster. In the past, I’ve run into some problems, so I thought it best to write down a couple of tips to keep in mind when setting this up. These helped me out in the past:

  • Have a separate SSL dir for the puppetmaster and the client. The following snippet shows how to do that:
    [puppetd]
    ssldir = /var/lib/puppet/ssl
    
    [puppetmasterd]
    ssldir = /var/lib/puppet-server/ssl
    
    [puppetca]
    ssldir = /var/lib/puppet-server/ssl

    The addition to puppetca is needed because it needs to know where to sign the certificates. Of course, if you run 2.6 or higher, you need to replace puppetd with agent, puppetmasterd with mast and puppetca with… ca I think.

  • Explicitely set the certname and the certdnsnames for the puppetmaster, as follows:
    [puppetmasterd]
    certname = puppet
    certdnsnames = puppet.my.domain

That’s it. Hope it helps someone. You’re going to need to remove all old ssl dirs after you changed this and regenerate the certificates.

Tags: , ,


Leave a Reply

Kumina helps companies innovate with the power of open source software. As specialists in managed IT operations since 2007, our mission is simple: building and managing the perfectly tailored technical infrastructures that allow our clients to thrive.

With fully managed solutions, we help our customers unlock the full potential of the cloud and Kubernetes. Our team also supports organisations with IT consulting and Kubernetes training courses. Learn more about our services or get in touch, we would love to hear about your business and projects.