When the puppetmaster server is changed for a Labs instance, for example to a standalone puppetmaster, the directory /var/lib/puppet/ssl needs to be removed so that certificates & Co. can be regenerated (cf. https://wikitech.wikimedia.org/wiki/Standalone_puppetmaster#Step_2:_Setup_a_puppet_client, https://wikitech.wikimedia.org/wiki/Tools_Kubernetes#Switch_to_new_puppetmaster).
modules/base/manifests/init.pp already has code to do that on the condition of /root/allowcertdeletion existing as part of a scheme to move VMs from one Labs puppetmaster to another (introduced by 3b9987677d7a632fd1b2dd9ccf4454275cbeabf2).
This could be used and improved for the general case. I don't see a security risk to delete the certificates & Co. if someone changed the Hiera variable puppetmaster. Anyone who can do that is root on that instance and can change whatever he wants anyway.
Deleting /var/lib/puppet/ssl completely on some change is very heavy-handed. This could be fine-tuned because for clients of the Labs puppetmaster, openssl x509 -in /var/lib/puppet/ssl/certs/$(hostname -f).pem -text -noout includes:
Certificate: Data: Version: 3 (0x2) Serial Number: 7369 (0x1cc9) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Puppet CA: virt1000.wikimedia.org Validity Not Before: Nov 30 20:43:45 2016 GMT Not After : Nov 30 20:43:45 2021 GMT Subject: CN=toolsbeta-valhallasw-puppet-compiler-3.toolsbeta.eqiad.wmflabs […]
(BTW, virt1000.wikimedia.org is NXDOMAIN) and for clients of standalone puppetmasters:
Certificate: Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Puppet CA: toolsbeta-puppetmaster7.toolsbeta.eqiad.wmflabs Validity Not Before: Dec 11 03:28:57 2016 GMT Not After : Dec 11 03:28:57 2021 GMT Subject: CN=toolsbeta-clush-master-01.toolsbeta.eqiad.wmflabs […]
So I suggest to delete those files under /var/lib/puppet/ssl automatically that do not reference the puppetmaster as specified by the Hiera variable.
Workaround
See https://wikitech.wikimedia.org/wiki/Help:Standalone_puppetmaster:
Agent:
rm -fR /var/lib/puppet/ssl
Master:
puppet cert clean <fqdn of instance>
Agent:
puppet agent -tv mkdir -p /var/lib/puppet/client/ssl/certs cp /var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/client/ssl/certs puppet agent -tv