Yes, It's now possible to install both Puppet Master and Agent on the same host with different certs for each, to avoid future conflicts when managing master server with puppet. You need to have 2 seperate entries on puppet.conf, one in [master] and one in [agent] so that separate certs are generated.
Before we proceed with the install need to make sure that a CNAME/alias name is setup for the puppetmaster and DNS for puppet agent and both should refer back to the same host.
Puppetmaster CNAME/Alias = puppetmaster.ppt.local
Puppet DNS = puppet.ppt.local
IP Address = 192.168.132.11
When using local DNS i.e. etc/hosts
Edit /etc/hosts to have 2 DNS names for the same host.
# vi /etc/hosts
192.168.132.11 puppet.ppt.local puppetmaster.ppt.local
When using IDM/FreeIPA Server as DNS
Login to Idm server and add a CNAME entry for the puppetmaster to point to puppet server.
Goto --> Identity --> DNS --> ppt.local --> Add
Record name: puppetmaster
Record Type: CNAME
Hostname: puppet
Click Add
Now make sure both the hosts are resolved. Run the below commands.
# host puppetmaster
Output:
[root@puppet admin]# host puppetmaster
puppetmaster.ppt.local is an alias for puppet.ppt.local.
puppet.ppt.local has address 192.168.132.11
# host puppet
Output:
[root@puppet admin]# host puppet
puppet.ppt.local has address 192.168.132.11
We now see that both can be resolved and point to the same host IP address.
Now as we are ready with the DNS and CNAME for both puppet and puppetmaster, next step would be to start the install of puppet master and agent on the host.
Enable Puppet Repo
# rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
Install Puppet server. Puppet agent is installed part of it.
# yum install puppet-server
Edit/Add puppet.conf with puppetmaster and puppet agent entry. Also enable autosign in [main] section.
# vi /etc/puppet/puppet.conf
[main]
autosign = true
[master]
certname = puppetmaster.ppt.local
[agent]
server = puppet.ppt.local
Now 1st start puppetmaster so that it can generate a cert for it. Check the logs to confirm it works.
# service puppetmaster start
# chkconfig puppetmaster on
Logs - /var/log/messages:
[root@puppet ~]# tail -f /var/log/messages
Dec 30 11:13:31 puppet puppet-master[2985]: puppetmaster.ppt.local has a waiting certificate request
Dec 30 11:13:31 puppet puppet-master[2985]: Signed certificate request for puppetmaster.ppt.local
Dec 30 11:13:31 puppet puppet-master[2985]: Removing file Puppet::SSL::CertificateRequest puppetmaster.ppt.local at '/var/lib/puppet/ssl/ca/requests/puppetmaster.ppt.local.pem'
Dec 30 11:13:31 puppet puppet-master[2985]: Removing file Puppet::SSL::CertificateRequest puppetmaster.ppt.local at '/var/lib/puppet/ssl/certificate_requests/puppetmaster.ppt.local.pem'
2nd start puppet agent so that it can generate a cert for it. Check the logs to confirm it works.
# service puppet start
# chkconfig puppet on
Logs - /var/log/messages:
Dec 30 11:17:25 puppet puppet-master[3061]: puppet.ppt.local has a waiting certificate request
Dec 30 11:17:25 puppet puppet-master[3061]: Signed certificate request for puppet.ppt.local
Dec 30 11:17:25 puppet puppet-master[3061]: Removing file Puppet::SSL::CertificateRequest puppet.ppt.local at '/var/lib/puppet/ssl/ca/requests/puppet.ppt.local.pem'
Now check the certs signed and you should see two certs in the list, one each for puppetmaster and puppet.
# puppet cert list --all
Output:
[root@puppet admin]# puppet cert list --all
+ "puppet.ppt.local" (SHA256) EB:2F:34:A5:AC:F5:38:68:89:3F:69:7F:56:CB:9D:8C:6A:77:23:DE:FE:1A:62:C9:31:69:91:BF:44:B4:39:3A
+ "puppetmaster.ppt.local" (SHA256) 32:4D:2D:96:8C:1A:FF:CA:70:00:F5:99:58:1C:DF:4C:63:E2:55:B8:9E:8F:3B:BC:73:1F:CA:AC:49:ED:7E:59 (alt names: "DNS:puppet", "DNS:puppet.ppt.local", "DNS:puppetmaster.ppt.local")