There are situations where we would like to regenereate the SSL certificate for a certain machine. Usually this is because we want to change the hostnames in the certificate. This page describes this process.

Stop the puppetagent (and other puppetservices) on the client machines.

The first step is to stop the puppet agent on the machine which should get new certificates:

Stop the puppet agent
root@client.fqdn:~# systemctl stop puppet

If the machine is running other puppet services (like puppetserver or puppetdb) these should also be stopped:

 

Stop the puppet services
root@client.fqdn:~# systemctl stop puppetdb
root@client.fqdn:~# systemctl stop puppetserver

Revoke the old certificate

Before a machine can retrieve new SSL certificates it need to have the old ones revoked. This is done at the puppetca:

Revoke old client certificate
root@puppetca.fqdn:~# puppetserver ca clean --certname client.fqdn

The crl is distributed to the rest of the infrastructure each time these machines are running the puppet agent.

Delete old certificates on the client, and create a new CSR.

Clear all old certificates from the puppet-client.

Create a CSR
root@client.fqdn:~# rm -rf /etc/puppetlabs/puppet/ssl

Trigger a puppet-run on the client to have it creating a new CSR, and sending it to the puppetCA.

Create a CSR
root@client.fqdn:~# puppet agent --test --waitforcert 10

While this command is running you could sign the certificate.

Sign the new certificate

To see which CSR's have arrived and not been saved, use the following command:

See CSR's
root@puppetca.fqdn:~# puppetserver ca list

To sign a certificate (with or without any DNS-alt-names):
(From puppet7, there is no longer a CLI switch to allow for alt-names. It must be set in the config for the Puppet CA)

Create a CSR
root@puppetca.fqdn:~# puppetserver ca sign --certname client.fqdn


Verify the new certificate

Finally; test that the configuration works by seeing that a puppet-run succeeds. Either see that the puppet run started when you created the CSR succeeds, or start a new one if that one timed out in the meantime.

This puppet-run should restart all the puppet-services on the host, so no need to do that manually.

  • No labels