Renewing an expired Puppet master certificate.
The Problem
It has been 5 years since the Puppet server v5 deployment, and the Puppet master certificate has therefore expired.
# puppet cert list --all - "puppet.example.com" (SHA256) 11:36:8F:20:BB:3D:1C:5B:D9:1D:55:68:D9:CC:0D:D4:3A:E6:C4:0E:8B:02:32:E6:72:D4:F6:D1:07:10:47:E1 (certificate has expired) - "ip-10-10-10-18.eu-west-1.compute.internal" (SHA256) 11:39:B9:1E:7B:A3:EC:28:3A:E8:C0:77:58:96:3F:12:C6:39:04:54:DC:CF:56:54:25:63:B2:DA:19:50:D1:90 (certificate has expired) + "ip-10-10-11-70.eu-west-2.compute.internal" (SHA256) 11:F6:EC:D7:6A:DC:5F:85:07:43:FC:E5:16:6A:5E:3E:8A:5B:D7:1A:70:E7:B2:79:8E:E1:A6:EB:D0:CB:7B:5C + "ip-10-10-12-54.eu-west-2.compute.internal" (SHA256) 11:10:19:BF:87:27:16:CC:FC:4D:78:22:B1:0F:A1:BB:AF:35:B2:E3:E6:6F:86:8B:69:24:AB:FD:AB:E4:11:94 [OUTPUT TRUNCATED]
$ rpm -qa | grep puppet puppet5-release-5.0.0-14.el7.noarch puppet-agent-5.5.22-1.el7.x86_64 puppetserver-5.3.16-1.el7.noarch
The Solution: Regenerate Certificates
Leaving aside the fact that Puppet v5.5 is EOL, we needed to bring the system back to a working state.
First of all, back up the Puppet’s SSL directory, which is in /etc/puppetlabs/puppet/ssl/
. If something goes wrong, you can always restore the files back to what they were before.
# cp -pr /etc/puppetlabs/puppet/ssl/ /etc/puppetlabs/puppet/ssl_backup
Stop the Puppet agent service (on the master server):
# puppet resource service puppet ensure=stopped
Remove the expired Puppet master certificate.
# puppet cert clean puppet.example.com Warning: `puppet cert` is deprecated and will be removed in a future release. (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run') Notice: Revoked certificate with serial 40 Notice: Removing file Puppet::SSL::Certificate puppet.example.com at '/etc/puppetlabs/puppet/ssl/ca/signed/puppet.example.com.pem' Notice: Removing file Puppet::SSL::Certificate puppet.example.com at '/etc/puppetlabs/puppet/ssl/certs/puppet.example.com.pem' Notice: Removing file Puppet::SSL::Key puppet.example.com at '/etc/puppetlabs/puppet/ssl/private_keys/puppet.example.com.pem'
Stop the Puppet master service.
# puppet resource service puppetserver ensure=stopped
Generate a new Puppet master certificate. When you see the message Notice: Starting Puppet master
, type CTRL + C
.
# puppet master --no-daemonize --verbose Info: Creating a new SSL key for puppet.example.com Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for puppet.example.com Info: Certificate Request fingerprint (SHA256): 22:A5:8E:A1:B2:96:4B:76:AC:71:FF:F8:5D:3C:4B:E1:A3:6D:E3:BA:08:F3:7A:7F:BF:D1:43:5E:2F:32:92:83 Notice: puppet.example.com has a waiting certificate request Notice: Signed certificate request for puppet.example.com Notice: Removing file Puppet::SSL::CertificateRequest puppet.example.com at '/etc/puppetlabs/puppet/ssl/ca/requests/puppet.example.com.pem' Notice: Removing file Puppet::SSL::CertificateRequest puppet.example.com at '/etc/puppetlabs/puppet/ssl/certificate_requests/puppet.example.com.pem' Warning: The WEBrick Puppet master server is deprecated and will be removed in a future release. Please use Puppet Server instead. See http://links.puppet.com/deprecate-rack-webrick-servers for more information. (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main') Warning: Accessing 'bindaddress' as a setting is deprecated. (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1210:in `issue_deprecation_warning') Notice: Starting Puppet master version 5.5.22
Start the Puppet master service.
# puppet resource service puppetserver ensure=running
Start the Puppet agent service.
# puppet resource service puppet ensure=running
Verify by invoking Puppet agent:
# puppet agent -tv Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Loading facts Info: Caching catalog for puppet.example.com Info: Applying configuration version '1712255587' Notice: Applied catalog in 7.20 seconds