It's now possible to install both Puppet Master and Agent on the same host with different certs for each, to avoid future conflicts when managing master server with puppet. You need to have 2 seperate entries on puppet.conf, one in [master] and one in [agent] so that separate certs are generated.
Before we proceed with the install need to make sure that a CNAME/alias name is setup for the puppetmaster and DNS for puppet agent and both should refer back to the same host.
Puppetmaster CNAME/Alias = puppetmaster.ppt.local
Puppet DNS = puppet.ppt.local
IP Address = 192.168.132.11
When using local DNS i.e. etc/hosts
Edit /etc/hosts to have 2 DNS names for the same host.
# vi /etc/hosts
192.168.132.11 puppet.ppt.local puppetmaster.ppt.local
When using IDM/FreeIPA Server as DNS
Login to Idm server and add a CNAME entry for the puppetmaster to point to puppet server.
Goto --> Identity --> DNS --> ppt.local --> Add
Record name: puppetmaster
Record Type: CNAME
Now make sure both the hosts are resolved. Run the below commands.
# host puppetmaster
[root@puppet admin]# host puppetmaster puppetmaster.ppt.local is an alias for puppet.ppt.local. puppet.ppt.local has address 192.168.132.11
# host puppet
[root@puppet admin]# host puppet
puppet.ppt.local has address 192.168.132.11
We now see that both can be resolved and point to the same host IP address.
Now as we are ready with the DNS and CNAME for both puppet and puppetmaster, next step would be to start the install of puppet master and agent on the host.
Enable Puppet Repo
# rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
Install Puppet server. Puppet agent is installed part of it.
# yum install puppet-server
Edit/Add puppet.conf with puppetmaster and puppet agent entry. Also enable autosign in [main] section.
# vi /etc/puppet/puppet.conf
autosign = true
certname = puppetmaster.ppt.local
server = puppet.ppt.local
Now 1st start puppetmaster so that it can generate a cert for it. Check the logs to confirm it works.
# service puppetmaster start # chkconfig puppetmaster on
logs - /var/log/messages:
[root@puppet ~]# tail -f /var/log/messages Dec 30 11:13:31 puppet puppet-master: puppetmaster.ppt.local has a waiting certificate request Dec 30 11:13:31 puppet puppet-master: Signed certificate request for puppetmaster.ppt.local Dec 30 11:13:31 puppet puppet-master: Removing file Puppet::SSL::CertificateRequest puppetmaster.ppt.local at '/var/lib/puppet/ssl/ca/requests/puppetmaster.ppt.local.pem' Dec 30 11:13:31 puppet puppet-master: Removing file Puppet::SSL::CertificateRequest puppetmaster.ppt.local at '/var/lib/puppet/ssl/certificate_requests/puppetmaster.ppt.local.pem'
2nd start puppet agent so that it can generate a cert for it. Check the logs to confirm it works.
# service puppet start # chkconfig puppet on
logs - /var/log/messages:
Dec 30 11:17:25 puppet puppet-master: puppet.ppt.local has a waiting certificate request Dec 30 11:17:25 puppet puppet-master: Signed certificate request for puppet.ppt.local Dec 30 11:17:25 puppet puppet-master: Removing file Puppet::SSL::CertificateRequest puppet.ppt.local at '/var/lib/puppet/ssl/ca/requests/puppet.ppt.local.pem'
Now check the certs signed and you should see two certs in the list, one each for puppetmaster and puppet.
# puppet cert list --all
[root@puppet admin]# puppet cert list --all
+ "puppet.ppt.local" (SHA256) EB:2F:34:A5:AC:F5:38:68:89:3F:69:7F:56:CB:9D:8C:6A:77:23:DE:FE:1A:62:C9:31:69:91:BF:44:B4:39:3A + "puppetmaster.ppt.local" (SHA256) 32:4D:2D:96:8C:1A:FF:CA:70:00:F5:99:58:1C:DF:4C:63:E2:55:B8:9E:8F:3B:BC:73:1F:CA:AC:49:ED:7E:59 (alt names: "DNS:puppet", "DNS:puppet.ppt.local", "DNS:puppetmaster.ppt.local")
You should now have a working puppetmaster and puppet agent on the same host. Any issues, please do let us know via Contact Us/comments.