Renewing an expired Puppet CA certificate using Certregen module.
The Problem
I’ve been involved in a project of migrating ageing infrastructure (e.g. CentOS 7) and legacy applications (e.g. MySQL 5.7) to modern software. One of the first problems was an old installation of Puppet Server v5 where its CA certificate has already expired.
$ rpm -qa | grep puppet puppet5-release-5.0.0-14.el7.noarch puppet-agent-5.5.22-1.el7.x86_64 puppetserver-5.3.16-1.el7.noarch
Puppet’s CA certificate is only valid for a limited time which is usually 5 years, after which it expires. When this CA expires, Puppet’s services will no longer accept any certificates signed by that CA, and such Puppet infrastructure will immediately stop working.
The Solution
Leaving aside the fact that Puppet v5.5 is EOL, we needed to bring the system back to a working state. This meant regenerating the CA certificates.
Puppetlabs provides a certregen module that allows one to regenerate and redistribute Puppet CA certificates and refresh CRLs, without invalidating certificates signed by the original CA. It can also revive a Puppet CA that has already expired.
Working with Certregen
Installation
Install the Puppet module puppetlabs-certregen:
# puppet module install puppetlabs-certregen Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ... Notice: Downloading from https://forgeapi.puppet.com ... Notice: Installing -- do not interrupt ... /etc/puppetlabs/code/environments/production/modules └─┬ puppetlabs-certregen (v0.2.0) └── puppetlabs-stdlib (v4.25.1)
Check for Expired Certificates
We can see that the CA certificate’s status is “expired”.
# puppet certregen healthcheck "ca" (SHA256) 11:8B:52:F2:E8:CB:66:42:43:C3:51:9A:6E:3D:26:83:4F:69:17:B6:4B:A2:73:1B:26:44:AC:A0:16:01:7C:9F Status: expired Expiration date: 2024-03-11 14:35:39 UTC "puppet.example.com" (SHA256) 11:36:8F:20:BB:3D:1C:5B:D9:1D:55:68:D9:CC:0D:D4:3A:E6:C4:0E:8B:02:32:E6:72:D4:F6:D1:07:10:47:E1 Status: expiring Expiration date: 2024-03-31 16:39:25 UTC Expires in: 17 days, 9 hours, 5 minutes, 55 seconds "ip-10-10-10-18.eu-west-1.compute.internal" (SHA256) 11:39:B9:1E:7B:A3:EC:28:3A:E8:C0:77:58:96:3F:12:C6:39:04:54:DC:CF:56:54:25:63:B2:DA:19:50:D1:90 Status: expiring Expiration date: 2024-03-31 17:07:45 UTC Expires in: 17 days, 9 hours, 34 minutes, 15 seconds [OUTPUT TRUNCATED]
Generate a New CA Certificate
We want to generate a new CA certificate using the existing CA keypair. We do not want to create a new keypair. We also want to automatically update the expiration date of the certificate revocation list (CRL).
# puppet certregen ca --ca_serial 01 Notice: Backing up current CA certificate to /etc/puppetlabs/puppet/ssl/ca/ca_crt.1710401711.pem Notice: Signed certificate request for ca CA expiration is now 2029-03-13 07:35:11 UTC CRL next update is now 2029-03-13 07:35:11 UTC
Distribute the New CA Certificate
Distribute the new CA cert to every node in your Puppet infrastructure. This depends on how your environment has been set up.
In our case we used a regular user account with sudo privileges to copy files using SCP.
$ for i in $(cat list_of_puppet_agent_servers.txt);
do
scp ./ca.pem ${i}:~/
ssh ${i} "sudo mv ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem; sudo chown root: /etc/puppetlabs/puppet/ssl/certs/ca.pem"
done
References
https://github.com/puppetlabs-toy-chest/puppetlabs-certregen