How to renew the Puppet CA certificate

From Wiki
Revision as of 16:18, 16 August 2019 by Admin (Talk | contribs)

Jump to: navigation, search

Many thanks to for these instructions.

How to renew Puppet CA and server certificates in place

If you see a message like this when running the puppet agent it is time to renew your certs.

Certificate 'Puppet CA:' will expire on 2017-10-01T11:09:06UTC
Certificate '' will expire on 2017-10-03T11:13:58UTC

The CA certificate must be renewed *before* it expires or else you will need to clean and resign *all* of your client node certificates along with the CA cert.

To renew the existing CA cert follow these steps. *BACK UP* your CA data before doing this.

Recreate missing CSRs:

A missing CSR can be generated from an existing certificate. To regenerate the CA's CSR run this command:

cd /etc/puppetlabs/puppet/ssl/ca
openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem

The procedure for generating the puppet *server* certificate is similar however you will need to follow these steps to ensure the proper SANs are included.

Note, that those requests aren’t perfect: the certificate CA extensions are missing, but we’ll fill them in during the next step.

Sign your new CSRs:

Next, we generate new certificates from the existing private key and the signing request. To get the necessary X509v3 extensions into the CA certificate, we first create a suitable OpenSSL config file snippet:

cat > extension.cnf <<_EOT_
basicConstraints = critical,CA:TRUE
nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

Sign your CSR using this configuration.

cp ca_crt.pem ca_crt.pem.backup
openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out ca_crt.pem -extfile extension.cnf -extensions CA_extensions

Now use the new CA cert to regenerate the puppet master's certificate.

cp /opt/puppetlabs/puppet/ssl/openssl.cnf /tmp/openssl.cnf
export sans="[SAN]\,DNS:puppet\n"
printf $sans >> /tmp/openssl.cnf
openssl req -new -sha256 -key ../private_keys/ -reqexts SAN -config /tmp/openssl.cnf -out requests/
openssl x509 -req -days 3650 -in requests/ -CA ca_crt.pem -CAkey ca_key.pem -CAserial serial -out signed/

After the cert has been signed restart puppetserver.

systemctl restart puppetserver

Distribute the CA certificate

Puppet clients need the CA certificate to be locally available so that they can verify other certificates against it. We copy the newly generated ca_crt.pem into some Puppet module and let Puppet place it on all clients:

file { '/var/lib/puppet/ssl/certs/ca.pem': 
  source => 'puppet:///path/to/ca_crt.pem', 
  owner => 'puppet', 
  group => 'puppet', 

That’s it! No more warnings, everyone happy. 🙂