Ask Your Question

Regenerate puppet CA on puppet 2.7!

asked 2017-03-21 13:49:57 -0600

hibbert gravatar image

updated 2017-03-22 07:28:26 -0600

DarylW gravatar image


Still running an old puppet master and need to regenerate the CA, it is running under passenger so the webbrick server is not running.

I'm reading through these instructions - I'm not sure they make sense for this setup first of all the puppet service is not running as it is passenger and also because the version is older.

I think the instructions would be similar it is just that I need to stop httpd and to get the puppet master new certificate run puppet in noop. Would that be right?


edit retag flag offensive close merge delete


You're a sysadmin. You can run openssl by your own, can't you? Anywho, you guessed it, I recommend an upgrade to PP 4.x.

Kai Burghardt gravatar imageKai Burghardt ( 2017-03-22 00:07:51 -0600 )edit

1 Answer

Sort by » oldest newest most voted

answered 2017-03-23 16:04:19 -0600

timelord gravatar image

updated 2017-03-23 16:04:45 -0600

This is how I renewed my Puppet CA; puppet-master was running via Passenger

On puppet-client side:

  • stop all active puppet clients (you can use pssh to run the following)

service puppet stop (on RedHat 6.x / CentOS 6.x)

On puppet-master side

  • Stop Apache

service httpd stop (on RedHat 6.x / CentOS 6.x)

  • Back up puppet ssl folders:

mkdir /root/renew_ca

mv /var/lib/puppet/ssl /root/renew_ca/puppet_ssl

mv /var/lib/puppetmaster/ssl /root/renew_ca/puppetmaster_ssl

  • Regenerate the CA:

puppet cert list -a . . . you should see this message: Notice: Signed certificate request for ca.

  • Generate the Puppet master’s new certs:

puppet master --no-daemonize --verbose . . . when you see Notice: Starting Puppet master <your puppet="" version="">, hit CTRL + C.

  • Start Apache

service httpd start (on RedHat 6.x / CentOS 6.x)

On puppet-client side:

  • delete the old certificate and make a request for a new one on all active puppet clients (you can use pssh to run the following)

rm -rf /var/lib/puppet/ssl

puppet agent -t --noop

On puppet-master side

  • sign all the new requests:

puppet cert list --all

puppet cert sign --all

On puppet-client side:

  • start all puppet clients again (you can use pssh to run the following)

service puppet start (on RedHat 6.x / CentOS 6.x)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2017-03-21 13:49:57 -0600

Seen: 271 times

Last updated: Mar 23 '17