Ask Your Question

How to renew expired puppetmaster certificates?

asked 2015-03-10 10:50:58 -0600

BIgData gravatar image

We are running with puppetmaster 0.25.4 and recently our certificates has been expired. Can somebody shed light on how to renew these certificates?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2015-03-11 04:58:45 -0600

Martijn Heemels gravatar image

updated 2015-04-15 22:00:06 -0600

GregLarkin gravatar image

There's unfortunately no automated process, because of the chicken and egg problem, although you could automate the steps via orchestration tools like Ansible. If you're planning to automate via MCollective, remember that its certificates are usually also signed by the Puppet Master's CA so it will also have expired by now. I'd use Ansible for this, or do it manually if it's a handful of servers.

Essentially, it boils down to this:

  1. Clear and Regenerate Certs on Your Puppet Master
  2. Clear and Regenerate Certs for any Extensions
  3. Clear and Regenerate Certs for Puppet Agents

Puppet labs has documented the required steps in detail here:

You're probably aware of this but 0.25.4 is a very old (almost 5 years old) and no longer updated version and it would be wise to upgrade. So many bugs have been fixed since that time and modern Puppet features allow you to do many cool things.

edit flag offensive delete link more

answered 2015-04-15 00:58:40 -0600

YOGESH DANGCHE gravatar image

updated 2015-04-16 01:04:41 -0600

So the solution is to:

  1. Remove the certificate on the Puppet server. You can remove all of them or just the one you want. The following command removes all SSL certificates used by the Puppet server:

rm -rf /var/lib/puppet/ssl


puppet cert clean agent-FQDN

  1. Remove the certificate on the Puppet client with the same command:

rm -rf /var/lib/puppet/ssl

  1. Temporarily set the Puppet servers host name:

hostname puppet

  1. Restart the Puppet server:

service puppetmaster restart

  1. Re-run the SSL certificate verification command to check the host name in the certificate.

puppet cert print $(puppet master --configprint certname)

  1. Restart the Puppet client:

service puppet restart

edit flag offensive delete link more


I'm afraid this answer is incomplete. In the first step you'll need to remove the master's CA certificate as well, at least I'm assuming that that's the one that has actually expired. I'm also wondering why you chose to change the hostname? Shouldn't the 'dns_alt_names' setting take care of that?

Martijn Heemels gravatar imageMartijn Heemels ( 2015-05-18 03:41:17 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2015-03-10 10:50:58 -0600

Seen: 9,512 times

Last updated: Apr 16 '15