Regenerate Expired Puppet Master Certificate

Renewing an expired Puppet master certificate.

The Problem

It has been 5 years since the Puppet server v5 deployment, and the Puppet master certificate has therefore expired.

# puppet cert list --all
- "puppet.example.com"                         (SHA256) 11:36:8F:20:BB:3D:1C:5B:D9:1D:55:68:D9:CC:0D:D4:3A:E6:C4:0E:8B:02:32:E6:72:D4:F6:D1:07:10:47:E1 (certificate has expired)
- "ip-10-10-10-18.eu-west-1.compute.internal"  (SHA256) 11:39:B9:1E:7B:A3:EC:28:3A:E8:C0:77:58:96:3F:12:C6:39:04:54:DC:CF:56:54:25:63:B2:DA:19:50:D1:90 (certificate has expired)
+ "ip-10-10-11-70.eu-west-2.compute.internal"  (SHA256) 11:F6:EC:D7:6A:DC:5F:85:07:43:FC:E5:16:6A:5E:3E:8A:5B:D7:1A:70:E7:B2:79:8E:E1:A6:EB:D0:CB:7B:5C
+ "ip-10-10-12-54.eu-west-2.compute.internal"  (SHA256) 11:10:19:BF:87:27:16:CC:FC:4D:78:22:B1:0F:A1:BB:AF:35:B2:E3:E6:6F:86:8B:69:24:AB:FD:AB:E4:11:94
[OUTPUT TRUNCATED]
$ rpm -qa | grep puppet
puppet5-release-5.0.0-14.el7.noarch
puppet-agent-5.5.22-1.el7.x86_64
puppetserver-5.3.16-1.el7.noarch

The Solution: Regenerate Certificates

Leaving aside the fact that Puppet v5.5 is EOL, we needed to bring the system back to a working state.

First of all, back up the Puppet’s SSL directory, which is in /etc/puppetlabs/puppet/ssl/. If something goes wrong, you can always restore the files back to what they were before.

# cp -pr /etc/puppetlabs/puppet/ssl/ /etc/puppetlabs/puppet/ssl_backup

Stop the Puppet agent service (on the master server):

# puppet resource service puppet ensure=stopped

Remove the expired Puppet master certificate.

# puppet cert clean puppet.example.com
Warning: `puppet cert` is deprecated and will be removed in a future release.
   (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run')
Notice: Revoked certificate with serial 40
Notice: Removing file Puppet::SSL::Certificate puppet.example.com at '/etc/puppetlabs/puppet/ssl/ca/signed/puppet.example.com.pem'
Notice: Removing file Puppet::SSL::Certificate puppet.example.com at '/etc/puppetlabs/puppet/ssl/certs/puppet.example.com.pem'
Notice: Removing file Puppet::SSL::Key puppet.example.com at '/etc/puppetlabs/puppet/ssl/private_keys/puppet.example.com.pem'

Stop the Puppet master service.

# puppet resource service puppetserver ensure=stopped

Generate a new Puppet master certificate. When you see the message Notice: Starting Puppet master , type CTRL + C.

# puppet master --no-daemonize --verbose
Info: Creating a new SSL key for puppet.example.com
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppet.example.com
Info: Certificate Request fingerprint (SHA256): 22:A5:8E:A1:B2:96:4B:76:AC:71:FF:F8:5D:3C:4B:E1:A3:6D:E3:BA:08:F3:7A:7F:BF:D1:43:5E:2F:32:92:83
Notice: puppet.example.com has a waiting certificate request
Notice: Signed certificate request for puppet.example.com
Notice: Removing file Puppet::SSL::CertificateRequest puppet.example.com at '/etc/puppetlabs/puppet/ssl/ca/requests/puppet.example.com.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppet.example.com at '/etc/puppetlabs/puppet/ssl/certificate_requests/puppet.example.com.pem'
Warning: The WEBrick Puppet master server is deprecated and will be removed in a future release. Please use Puppet Server instead. See http://links.puppet.com/deprecate-rack-webrick-servers for more information.
   (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main')
Warning: Accessing 'bindaddress' as a setting is deprecated.
   (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1210:in `issue_deprecation_warning')
Notice: Starting Puppet master version 5.5.22

Start the Puppet master service.

# puppet resource service puppetserver ensure=running

Start the Puppet agent service.

# puppet resource service puppet ensure=running

Verify by invoking Puppet agent:

# puppet agent -tv
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for puppet.example.com
Info: Applying configuration version '1712255587'
Notice: Applied catalog in 7.20 seconds

Leave a Reply

Your email address will not be published. Required fields are marked *