Creating certificates with multiple DNS names

By default, Puppet will create an SSL certificate for your Puppet master that contains the fully qualified domain name of the server only. Depending on how your network is configured, it can be useful for the server to be known by other names. In this recipe, we'll make a new certificate for our Puppet master that has multiple DNS names.

Getting ready

Install the Puppet master package if you haven't already done so. You will then need to start the Puppet master service at least once to create a certificate authority (CA).

How to do it...

The steps are as follows:

1. Stop the running Puppet master process with the following command:

   # service puppetmaster stop
   [ ok ] Stopping puppet master.
   

2. Delete (clean) the current server certificate:

   # puppet cert clean puppet
   Notice: Revoked certificate with serial 6
   Notice: Removing file Puppet::SSL::Certificate puppet at '/var/lib/puppet/ssl/ca/signed/puppet.pem'
   Notice: Removing file Puppet::SSL::Certificate puppet at '/var/lib/puppet/ssl/certs/puppet.pem'
   Notice: Removing file Puppet::SSL::Key puppet at '/var/lib/puppet/ssl/private_keys/puppet.pem'
   

3. Create a new Puppet certificate using Puppet certificate generate with the --dns-alt-names option:

   root@puppet:~# puppet certificate generate puppet --dns-alt-names puppet.example.com,puppet.example.org,puppet.example.net --ca-location local
   Notice: puppet has a waiting certificate request
   true
   

4. Sign the new certificate:

   root@puppet:~# puppet cert --allow-dns-alt-names sign puppet
   Notice: Signed certificate request for puppet
   Notice: Removing file Puppet::SSL::CertificateRequest puppet at '/var/lib/puppet/ssl/ca/requests/puppet.pem'
   

5. Restart the Puppet master process:

   root@puppet:~# service puppetmaster restart
   [ ok ] Restarting puppet master.
   

How it works...

When your puppet agents connect to the Puppet server, they look for a host called Puppet, they then look for a host called Puppet.[your domain]. If your clients are in different domains, then you need your Puppet master to reply to all the names correctly. By removing the existing certificate and generating a new one, you can have your Puppet master reply to multiple DNS names.