Ask Your Question

Completely replace CA infrastructure?

asked 2016-02-20 17:01:33 -0600

theillien gravatar image

I'm playing with a Puppet Enterprise installation for a project at work. Without going into detail I have renamed the server from it's original hostname to one that better reflects its nature. Unfortunately, I did this after installing PE. This has led to an issue with SSL certificates and the CA.

I have a Windows 2008 R2 agent. I am able to run Puppet for an initial check in to generate the certificate request. The problem is that the certificate is signed as the old hostname. This causes problems because when I check in after the certificate has been signed. I get a slew of errors in the general language of:

Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for \CN=<OLD_HOSTNAME>]

Basically, all of the errors indicate [unable to get local issuer certificate for /CN=<OLDHOSTNAME>].

I've followed the instructions for regenerating the SSL certs and security credential in a monolithic deployment. I would have thought that this would strip out the CA information for the old hostname but that doesn't seem to be the case since the certs are being signed as such rather than with the new hostname.

I can no doubt start from scratch since this is far from Production, but I feel it is in my best interest to figure out how to fix these types of problems without resorting to a nuclear option.

Is it possible to completely regenerate the CA infrastructure on the Puppet Master without a re-installation in order to have certs signed as the new hostname or do I have to start from scratch?

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted

answered 2016-02-24 18:18:57 -0600

UBPClaw gravatar image

updated 2016-02-24 18:21:51 -0600

This should help you generate a new certificate on your Puppet Master


edit flag offensive delete link more


I used the instructions for the monolithic PE installation. It didn't create a new CA, hence my question.

theillien gravatar imagetheillien ( 2016-02-24 18:43:20 -0600 )edit

answered 2016-02-24 04:37:05 -0600

There may be a more correct answer, but here's what I'd do: enable autosigning; delete all the old certs on your puppet master with puppet cert clean; use your orchestration framework to remove /var/lib/puppet/ssl on each node; then wait for each node to check in again (so wait more than 30 minutes); then disable autosigning again.

edit flag offensive delete link more


My issue isn't with node certificates. I've been having issues with the CA signing with the old hostname rather than the new hostname. Regenerating the entire SSL chain for a monolithic PE installation has not worked.

theillien gravatar imagetheillien ( 2016-02-24 18:43:21 -0600 )edit

Ah, Ok. Honestly, I'd just reinstall the master. Perhaps someone else will know a fix for the issue.

Alex Harvey gravatar imageAlex Harvey ( 2016-02-24 21:39:53 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-02-20 17:01:33 -0600

Seen: 211 times

Last updated: Feb 24 '16