Ask Your Question

questions after attempting to regenerate puppet certs

asked 2018-08-22 07:35:00 -0500

sinaowolabi gravatar image


I am attempting to regenerate my puppet certs. Puppet master is running on a CentOS 6.9 machine with the following

puppet-3.8.7-1.el6.noarch puppet-dashboard-1.2.23-1.el6.noarch puppet-server-3.8.7-1.el6.noarch puppetlabs-release-22.0-2.noarch

and its managing a mixed environment of RHEL/CentOS 6 & 7 servers. I had poor results following this guide: and I had better results with By better I mean I was able to verify the new cert against the clients and it turned out ok.

[root@puppetserver ssl]# openssl verify -CAfile ./certs/ca.pem ca/signed/puppetclient.ourdom.local.pem ca/signed/puppetclient.ourdom.local.pem: OK [root@puppetserver ssl]# openssl verify -CAfile ./newcert.pem ca/signed/puppetclient.ourdom.local.pem ca/signed/puppetclient.ourdom.local.pem: OK

I now deleted the original ca.pem on a client and ran puppet agent -t but I still see the certificate expiry warnings. [root@puppetclient ~]# puppet agent -t Warning: Certificate 'puppetserver.ourdom.local' will expire on 2018-09-15T07:19:06UTC Info: Retrieving pluginfacts Info: Retrieving plugin

Is there something I am still missing?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-08-24 01:49:36 -0500

Pankaj Shukla gravatar image

Hi There,

Please follow below steps to recreate and deploy new CA certificate on puppet master server.

1-Below is the command to check ssl dir on server and client both.

puppet config print ssldir

2- Command to check ca cert validity of exiting or new CA certificate on server.

openssl x509 -in ca_crt.pem -text -noout

mkdir /cert

cd /etc/puppetlabs/puppet/ssl

cp ca_crt.pem ca_key.pem /cert/

cd /cert/

openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out certreq.csr

vi openssl.cnf

[ca] default_ca = CA_default # The default ca section

[CA_default] database = ./index.txt # index file. new_certs_dir = ./newcerts # new certs dir

certificate = ./ca_crt.pem serial = ./serial default_md = sha256 # md to use policy = CA_policy # default policy email_in_dn = no # Don't add the email name_opt = ca_default # SubjectName display option cert_opt = ca_default # Certificate display option x509_extensions = CA_extensions

[CA_policy] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional

[CA_extensions] nsComment = "Puppet Cert: manual." basicConstraints = CA:TRUE subjectKeyIdentifier = hash keyUsage = keyCertSign, cRLSign

mkdir newcerts

touch index.txt

echo 00 > serial

openssl ca -in certreq.csr -keyfile ca_key.pem -days 3650 -out newcert.pem -config ./openssl.cnf

openssl x509 -in newcert.pem -text -noout

openssl verify -CAfile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem /etc/puppetlabs/puppet/ssl/ca/signed/puppet-slave.hcl.local.pem

openssl verify -CAfile newcert.pem /etc/puppetlabs/puppet/ssl/ca/signed/puppet-slave.hcl.local.pem

openssl verify -CAfile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem /etc/puppetlabs/puppet/ssl/ca/signed/puppet-slave.hcl.local.pem

cp newcert.pem /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem

edit flag offensive delete link more


Yes these are the exact steps I followed the first time. So why does the client still see the cert as about to expire?

sinaowolabi gravatar imagesinaowolabi ( 2018-08-25 19:10:55 -0500 )edit

then you need to remove existing certificate on client and copy CA cert to client and run puppet agent -t again.

Pankaj Shukla gravatar imagePankaj Shukla ( 2018-09-06 06:13:14 -0500 )edit

you can write me to email directly at to see and troubleshoot it real-time.

Pankaj Shukla gravatar imagePankaj Shukla ( 2018-09-06 06:15:54 -0500 )edit

one more thing you need to check in the client that it is pointing to the correct puppet server.

Pankaj Shukla gravatar imagePankaj Shukla ( 2018-09-06 06:16:33 -0500 )edit

Thank you. Pushing the ca.pem to the clients appears to have worked. I expected deleting it and running `puppet agent -t` would have forced the clients to use the new cert. It did not.

sinaowolabi gravatar imagesinaowolabi ( 2018-09-09 16:28:55 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-08-22 07:35:00 -0500

Seen: 96 times

Last updated: Aug 24