How to renew the Puppet CA certificate
Many thanks to https://blog.flyingcircus.io/2017/09/01/how-to-renew-puppet-ca-and-server-certificates-in-place for these instructions.
How to renew Puppet CA and server certificates in place
If you see a message like this when running the puppet agent it is time to renew your certs.
Warning: Certificate 'Puppet CA: puppetmaster.example.com' will expire on 2019-10-14T12:31:13GMT
The CA certificate must be renewed *before* it expires or else you will need to clean and resign *all* of your client node certificates along with the CA cert.
To renew the existing CA cert follow these steps. *BACK UP* your CA data before doing this.
Recreate missing CSRs
A missing CSR can be generated from an existing certificate. To regenerate the CA's CSR run this command:
cd /etc/puppetlabs/puppet/ssl/ca openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem
Note that this CSR is not perfect. The CA extensions will be missing but those can be added in during the next step.
The procedure for generating the puppet *server* certificate is similar however you will need to to ensure that the proper SANs are included.
Sign your new CSRs
Next, we generate new certificates from the existing private key and the signing request. To get the necessary X509v3 extensions into the CA certificate, we first create a suitable OpenSSL config file snippet:
cat > extension.cnf <<_EOT_ [CA_extensions] basicConstraints = critical,CA:TRUE nsComment = "Puppet Ruby/OpenSSL Internal Certificate" keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash _EOT_
Sign your CSR using this configuration.
cp ca_crt.pem ca_crt.pem.backup openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out ca_crt.pem -extfile extension.cnf -extensions CA_extensions
Now you can use this CA cert to sign the new puppet master certificate.
cp /etc/pki/tls/openssl.cnf /tmp/openssl.cnf export sans="[SAN]\nsubjectAltName=DNS:puppet.example.com,DNS:puppet\n" printf $sans >> /tmp/openssl.cnf openssl req -new -sha256 -key ../private_keys/puppetmaster.example.com.pem -reqexts SAN -config /tmp/openssl.cnf -out requests/puppetmaster.example.com.pem openssl x509 -req -days 3650 -in requests/puppetmaster.example.com.pem -CA ca_crt.pem -CAkey ca_key.pem -CAserial serial -out signed/puppetmaster.example.com.pem
The puppet cert command also works.
puppet cert sign --allow-dns-alt-names puppetmaster.example.com
After the certificate has been signed copy the data into place and restart puppetserver.
cp signed/puppetmaster.example.com.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.example.com.pem systemctl restart puppetserver
Distribute the CA certificate
Puppet clients need the CA certificate to be locally available to verify certs signed by the puppet master. The CA file can be distributed through a puppet module using the following resource.
file { '/etc/puppetlabs/puppet/ssl/certs/ca.pem': source => 'puppet:///path/to/ca_crt.pem', owner => 'puppet', group => 'puppet', }
That’s it! No more warnings, everyone's happy. 🙂