There are situations where we would like to regenereate the SSL certificate for a certain machine. Usually this is because we want to change the hostnames in the certificate. This page describes this process.
Stop the puppetagent (and other puppetservices) on the client machines.
The first step is to stop the puppet agent on the machine which should get new certificates:
root@client.fqdn:~# systemctl stop puppet
If the machine is running other puppet services (like puppetserver or puppetdb) these should also be stopped:
root@client.fqdn:~# systemctl stop puppetdb root@client.fqdn:~# systemctl stop puppetserver
Revoke the old certificate
Before a machine can retrieve new SSL certificates it need to have the old ones revoked. This is done at the puppetca:
root@puppetca.fqdn:~# puppet cert clean client.fqdn
The crl is distributed to the rest of the infrastructure each time these machines are running the puppet agent.
Delete old certificates on the client, and create a new CSR.
Clear all old certificates from the puppet-client.
root@client.fqdn:~# rm -rf /etc/puppetlabs/puppet/ssl
Trigger a puppet-run on the client to have it creating a new CSR, and sending it to the puppetCA.
root@client.fqdn:~# puppet agent --test --waitforcert 10
While this command is running you could sign the certificate.
Sign the new certificate
To see which CSR's have arrived and not been saved, use the following command:
root@puppetca.fqdn:~# puppet cert list
To sign a certificate (without any DNS-alt-names):
root@puppetca.fqdn:~# puppet cert sign client.fqdn
If the certificate needs to have more than one DNS name in it (puppetservers, puppetca and puppetdb hosts for example), add --allow-dns-alt-names:
root@puppetca.fqdn:~# puppet cert sign client.fqdn --allow-dns-alt-names
Verify the new certificate
Finally; test that the configuration works by seeing that a puppet-run succeeds. Either see that the puppet run started when you created the CSR succeeds, or start a new one if that one timed out in the meantime.
This puppet-run should restart all the puppet-services on the host, so no need to do that manually.