...
Before a machine can retrieve new SSL certificates it need to have the old ones revoked. This is done at the puppetca:
Code Block | ||
---|---|---|
| ||
root@puppetca.fqdn:~# puppetpuppetserver certca clean --certname client.fqdn |
The crl is distributed to the rest of the infrastructure each time these machines are running the puppet agent.
Delete old certificates on the client, and create a new CSR.
Clear all old certificates from the puppet-client.
Code Block | ||
---|---|---|
| ||
root@client.fqdn:~# rm -rf /etc/puppetlabs/puppet/ssl |
Trigger a puppet-run on the client to have it creating a new CSR, and sending it to the puppetCA.
Code Block | ||
---|---|---|
| ||
root@client. |
...
fqdn:~# puppet agent --test --waitforcert 10 |
While this command is running you could sign the certificate.
Sign the new certificate
To see which CSR's have arrived and not been saved, use the following command:
Code Block | ||
---|---|---|
| ||
root@puppetca.fqdn:~# puppetserver ca list |
To sign a certificate
...
(with or without any DNS-alt-names):
(From puppet7, there is no longer a CLI switch to allow for alt-names. It must be set in the config for the Puppet CA)
Code Block | ||
---|---|---|
| ||
root@puppetca.fqdn:~# puppetserver ca sign --certname client.fqdn |
Verify the new certificate
Finally; test that the configuration works by seeing that a puppet-run succeeds. Either see that the puppet run started when you created the CSR succeeds, or start a new one if that one timed out in the meantime.
This puppet-run should restart all the puppet-services on the host, so no need to do that manually.