Ask Your Question
0

Regenerate puppet CA on puppet 2.7!

asked 2017-03-21 13:49:57 -0500

hibbert gravatar image

updated 2017-03-22 07:28:26 -0500

DarylW gravatar image

Hi,

Still running an old puppet master and need to regenerate the CA, it is running under passenger so the webbrick server is not running.

I'm reading through these instructions - https://docs.puppet.com/puppet/3.6/ssl_regenerate_certificates.html. I'm not sure they make sense for this setup first of all the puppet service is not running as it is passenger and also because the version is older.

I think the instructions would be similar it is just that I need to stop httpd and to get the puppet master new certificate run puppet in noop. Would that be right?

Thanks

edit retag flag offensive close merge delete

Comments

You're a sysadmin. You can run openssl by your own, can't you? Anywho, you guessed it, I recommend an upgrade to PP 4.x.

Kai Burghardt gravatar imageKai Burghardt ( 2017-03-22 00:07:51 -0500 )edit

1 Answer

Sort by » oldest newest most voted
1

answered 2017-03-23 16:04:19 -0500

timelord gravatar image

updated 2017-03-23 16:04:45 -0500

This is how I renewed my Puppet CA; puppet-master was running via Passenger

On puppet-client side:

  • stop all active puppet clients (you can use pssh to run the following)

service puppet stop (on RedHat 6.x / CentOS 6.x)


On puppet-master side

  • Stop Apache

service httpd stop (on RedHat 6.x / CentOS 6.x)

  • Back up puppet ssl folders:

mkdir /root/renew_ca

mv /var/lib/puppet/ssl /root/renew_ca/puppet_ssl

mv /var/lib/puppetmaster/ssl /root/renew_ca/puppetmaster_ssl

  • Regenerate the CA:

puppet cert list -a . . . you should see this message: Notice: Signed certificate request for ca.

  • Generate the Puppet master’s new certs:

puppet master --no-daemonize --verbose . . . when you see Notice: Starting Puppet master <your puppet="" version="">, hit CTRL + C.

  • Start Apache

service httpd start (on RedHat 6.x / CentOS 6.x)


On puppet-client side:

  • delete the old certificate and make a request for a new one on all active puppet clients (you can use pssh to run the following)

rm -rf /var/lib/puppet/ssl

puppet agent -t --noop


On puppet-master side

  • sign all the new requests:

puppet cert list --all

puppet cert sign --all


On puppet-client side:

  • start all puppet clients again (you can use pssh to run the following)

service puppet start (on RedHat 6.x / CentOS 6.x)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2017-03-21 13:49:57 -0500

Seen: 37 times

Last updated: Mar 23