Difference between revisions of "How to renew the Puppet CA certificate"

From Wiki
Jump to: navigation, search
m
 
Line 1: Line 1:
 
Many thanks to https://blog.flyingcircus.io/2017/09/01/how-to-renew-puppet-ca-and-server-certificates-in-place for these instructions.
 
Many thanks to https://blog.flyingcircus.io/2017/09/01/how-to-renew-puppet-ca-and-server-certificates-in-place for these instructions.
  
How to renew Puppet CA and server certificates in place
+
= How to renew Puppet CA and server certificates in place =
  
 
If you see a message like this when running the puppet agent it is time to renew your certs.
 
If you see a message like this when running the puppet agent it is time to renew your certs.
Line 11: Line 11:
 
To renew the existing CA cert follow these steps.  *BACK UP* your CA data before doing this.
 
To renew the existing CA cert follow these steps.  *BACK UP* your CA data before doing this.
  
Recreate missing CSRs:
+
== Recreate missing CSRs ==
  
 
A missing CSR can be generated from an existing certificate.  To regenerate the CA's CSR run this command:
 
A missing CSR can be generated from an existing certificate.  To regenerate the CA's CSR run this command:
Line 18: Line 18:
 
  openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem
 
  openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem
  
The procedure for generating the puppet *server* certificate is similar however you will need to follow these steps to ensure the proper SANs are included.
+
Note that this CSR is not perfect.  The CA extensions will be missing but those can be added in during the next step.
  
Note, that those requests aren’t perfect: the certificate CA extensions are missing, but we’ll fill them in during the next step.
+
The procedure for generating the puppet *server* certificate is similar however you will need to to ensure that the proper SANs are included.
  
Sign your new CSRs:
+
 
 +
== Sign your new CSRs ==
  
 
Next, we generate new certificates from the existing private key and the signing request. To get the necessary X509v3 extensions into the CA certificate, we first create a suitable OpenSSL config file snippet:
 
Next, we generate new certificates from the existing private key and the signing request. To get the necessary X509v3 extensions into the CA certificate, we first create a suitable OpenSSL config file snippet:
Line 41: Line 42:
 
  openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out ca_crt.pem -extfile extension.cnf -extensions CA_extensions
 
  openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out ca_crt.pem -extfile extension.cnf -extensions CA_extensions
  
Now use the new CA cert to regenerate the puppet master's certificate.   
+
Now you can use this CA cert to sign the new puppet master certificate.   
  
 
  cp /etc/pki/tls/openssl.cnf /tmp/openssl.cnf
 
  cp /etc/pki/tls/openssl.cnf /tmp/openssl.cnf
Line 49: Line 50:
 
  openssl x509 -req -days 3650 -in requests/puppetmaster.example.com.pem -CA ca_crt.pem -CAkey ca_key.pem -CAserial serial -out signed/puppetmaster.example.com.pem
 
  openssl x509 -req -days 3650 -in requests/puppetmaster.example.com.pem -CA ca_crt.pem -CAkey ca_key.pem -CAserial serial -out signed/puppetmaster.example.com.pem
  
You can also use the "puppet cert command":
+
The puppet cert command also works.
  
 
  puppet cert sign --allow-dns-alt-names puppetmaster.example.com
 
  puppet cert sign --allow-dns-alt-names puppetmaster.example.com
  
After the cert has been signed copy the cert into place and restart puppetserver.
+
After the certificate has been signed copy the data into place and restart puppetserver.
  
 
  cp signed/puppetmaster.example.com.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.example.com.pem
 
  cp signed/puppetmaster.example.com.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.example.com.pem
Line 60: Line 61:
 
Distribute the CA certificate
 
Distribute the CA certificate
  
Puppet clients need the CA certificate to be locally available so that they can verify other certificates against it. We copy the newly generated ca_crt.pem into some Puppet module and let Puppet place it on all clients:
+
Puppet clients need the CA certificate to be locally available to verify certs signed by the puppet master. The CA file can be distributed through a puppet module using the following resource.
  
 
  file { '/etc/puppetlabs/puppet/ssl/certs/ca.pem':  
 
  file { '/etc/puppetlabs/puppet/ssl/certs/ca.pem':  
Line 68: Line 69:
 
  }
 
  }
  
That’s it! No more warnings, everyone happy. 🙂
+
That’s it! No more warnings, everyone's happy. 🙂

Latest revision as of 14:24, 27 August 2019

Many thanks to https://blog.flyingcircus.io/2017/09/01/how-to-renew-puppet-ca-and-server-certificates-in-place for these instructions.

How to renew Puppet CA and server certificates in place

If you see a message like this when running the puppet agent it is time to renew your certs.

Warning: Certificate 'Puppet CA: puppetmaster.example.com' will expire on 2019-10-14T12:31:13GMT

The CA certificate must be renewed *before* it expires or else you will need to clean and resign *all* of your client node certificates along with the CA cert.

To renew the existing CA cert follow these steps. *BACK UP* your CA data before doing this.

Recreate missing CSRs

A missing CSR can be generated from an existing certificate. To regenerate the CA's CSR run this command:

cd /etc/puppetlabs/puppet/ssl/ca
openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem

Note that this CSR is not perfect. The CA extensions will be missing but those can be added in during the next step.

The procedure for generating the puppet *server* certificate is similar however you will need to to ensure that the proper SANs are included.


Sign your new CSRs

Next, we generate new certificates from the existing private key and the signing request. To get the necessary X509v3 extensions into the CA certificate, we first create a suitable OpenSSL config file snippet:

cat > extension.cnf <<_EOT_
[CA_extensions]
basicConstraints = critical,CA:TRUE
nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
_EOT_

Sign your CSR using this configuration.

cp ca_crt.pem ca_crt.pem.backup
openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out ca_crt.pem -extfile extension.cnf -extensions CA_extensions

Now you can use this CA cert to sign the new puppet master certificate.

cp /etc/pki/tls/openssl.cnf /tmp/openssl.cnf
export sans="[SAN]\nsubjectAltName=DNS:puppet.example.com,DNS:puppet\n"
printf $sans >> /tmp/openssl.cnf
openssl req -new -sha256 -key ../private_keys/puppetmaster.example.com.pem -reqexts SAN -config /tmp/openssl.cnf -out requests/puppetmaster.example.com.pem
openssl x509 -req -days 3650 -in requests/puppetmaster.example.com.pem -CA ca_crt.pem -CAkey ca_key.pem -CAserial serial -out signed/puppetmaster.example.com.pem

The puppet cert command also works.

puppet cert sign --allow-dns-alt-names puppetmaster.example.com

After the certificate has been signed copy the data into place and restart puppetserver.

cp signed/puppetmaster.example.com.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.example.com.pem
systemctl restart puppetserver

Distribute the CA certificate

Puppet clients need the CA certificate to be locally available to verify certs signed by the puppet master. The CA file can be distributed through a puppet module using the following resource.

file { '/etc/puppetlabs/puppet/ssl/certs/ca.pem': 
  source => 'puppet:///path/to/ca_crt.pem', 
  owner => 'puppet', 
  group => 'puppet', 
}

That’s it! No more warnings, everyone's happy. 🙂