...
Before a machine can retrieve new SSL certificates it need to have the old ones revoked. This is done at the puppetca:
| Code Block | ||
|---|---|---|
| ||
root@puppetca.fqdn:~# puppet cert clean client.fqdn |
...
Delete old certificates on the client, and create a new CSR.
Clear all old certificates from the puppet-client.
| Code Block | ||
|---|---|---|
| ||
root@client.fqdn:~# rm -rf /etc/puppetlabs/puppet/ssl |
Trigger a puppet-run on the client to have it creating a new CSR, and sending it to the puppetCA.
| Code Block | ||
|---|---|---|
| ||
root@client.fqdn:~# puppet agent --test --waitforcert 10 |
While this command is running you could sign the certificate.
Sign the new certificate
...
To see which CSR's have arrived and not been saved, use the following command:
| Code Block | ||
|---|---|---|
| ||
root@puppetca.fqdn:~# puppet cert list |
To sign a certificate (without any DNS-alt-names):
| Code Block | ||
|---|---|---|
| ||
root@puppetca.fqdn:~# puppet cert sign client.fqdn |
If the certificate needs to have more than one DNS name in it (puppetservers, puppetca and puppetdb hosts for example), add --allow-dns-alt-names:
| Code Block | ||
|---|---|---|
| ||
root@puppetca.fqdn:~# puppet cert sign client.fqdn --allow-dns-alt-names |
Verify the new certificate
Finally; test that the configuration works by seeing that a puppet-run succeeds. Either see that the puppet run started when you created the CSR succeeds, or start a new one if that one timed out in the meantime.
This puppet-run should restart all the puppet-services on the host, so no need to do that manually.