master's private EC2 hostname, PE generates certificates which include the
master's public EC2 hostname and
puppet as alternate DNS names.
For more information about EC2 hostnames, see the EC2 hostname or IP address troubleshooting topic.
Managing EC2 nodes by their private hostname (rather than the public hostname) keeps their hostnames consistent if, for example, the node is resized or changed to a different EC2 instance type. This requires less work when administering a PE managed VPC.
Changing the master's hostname and regenerating certificates
While not recommended, you can change the hostname of your Puppet master and use this hostname to generate new PE certificates. Do this before you connect any agents to the master.
- Connect to the master by running:
ssh -i ~/.ssh/<EC2-KEYPAIR-PRIVATE>.pem puppetadmin@<EC2-PUBLIC-HOSTNAME>
- Wait for PE configuration to complete and run the
check_status.shscript to confirm its status:
- Stop all PE services by running:
sudo /usr/local/bin/puppet resource service puppet ensure=stopped sudo /usr/local/bin/puppet resource service pe-puppetserver ensure=stopped sudo /usr/local/bin/puppet resource service pe-activemq ensure=stopped sudo /usr/local/bin/puppet resource service mcollective ensure=stopped sudo /usr/local/bin/puppet resource service pe-puppetdb ensure=stopped sudo /usr/local/bin/puppet resource service pe-postgresql ensure=stopped sudo /usr/local/bin/puppet resource service pe-console-services ensure=stopped sudo /usr/local/bin/puppet resource service pe-nginx ensure=stopped sudo /usr/local/bin/puppet resource service pe-orchestration-services ensure=stopped sudo /usr/local/bin/puppet resource service pxp-agent ensure=stopped
- Copy the SSL certificate directory (
/etc/puppetlabs/puppet/ssl/) to a backup location. Should anything go wrong during this process, you can restore certificates and your PE installation.
sudo mv /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/ssl.backup
- Delete the local cached catalog, which will be invalidated by the new
hostname, by running:
sudo rm -f /opt/puppetlabs/puppet/cache/client_data/catalog/*
- Set the Puppet master's new hostname. This depends on your configuration,
and could be as simple as following these instructions, or this might
entail configuring a DNS service like AWS's Route 53.
- Set the hostname:
sudo hostnamectl set-hostname <NEW-MASTER-HOSTNAME>
- Add the hostname to
preserve_hostname: trueto the main section of
/etc/cloud/cloud.cfg, for example, immediately below
- Set the hostname:
- Verify that the master and agents can resolve the new hostname. Puppet must be able to contact this hostname to connect to
PE services and complete the certificate generation process.
- Edit the master's
/etc/puppetlabs/puppet/puppet.conffile and set the
certnameparameter in both the
[master]sections to the new hostname.Note: For best compatibility, limit the
certnameto letters, numbers, periods, underscores, and dashes.
- Optional. To also include alternate DNS names, edit
pe_install::puppet_master_dnsaltnamesto a list of desired alternate hostnames.Note: If you want to change the alternate DNS names on the master later, you must repeat all of these steps.
- Remove the contents of the config files so Puppet can regenerate them with the new hostname:
echo '' > /etc/puppetlabs/nginx/conf.d/proxy.conf echo '' > /etc/puppetlabs/nginx/conf.d/http_redirect.conf echo '' > /etc/puppetlabs/puppetdb/certificate-whitelist echo '' > /etc/puppetlabs/console-services/rbac-certificate-whitelist echo '<beans></beans>' > /etc/puppetlabs/activemq/activemq.xml
- Remove the old hostname from
- Use the Puppet Enterprise module to regenerate certificates and restart
PE services. (The
--modulepathoptions are required.)
sudo /usr/local/bin/puppet infrastructure configure --no-recover --modulepath /opt/puppetlabs/server/data/enterprise/modules
- Remove the former master hostname from the list of PE managed nodes by running:
sudo /usr/local/bin/puppet node purge <FORMER-MASTER-HOSTNAME>
- Start a local agent run on the master by running:
sudo /usr/local/bin/puppet agent -t
- To confirm the master's
sudo /usr/local/bin/puppet config print certname
For more information about parameters for configuring and tuning the Puppet master, see the supported PE versions topic. Refer to the PE configuration settings for the PE version you are currently using.