From time to time, you may encounter a situation in which you need to regenerate a certificate for a compile master. Perhaps there is a security vulnerability in your infrastructure that you can remediate with a certificate regeneration, or maybe you're receiving strange SSL errors on your compile master that are preventing you from performing normal operations.
Unless otherwise indicated, the following steps are performed on your compile master nodes.
- Log into the master of masters (MoM) as
- On the MoM, run
puppet cert clean <COMPILE MASTER HOSTNAME>.
- Log into the compile master node as
- Back up the
cp -r /etc/puppetlabs/puppet/ssl/ /etc/puppetlabs/puppet/ssl_bak/.If something goes wrong, you can restore this directory to keep your deployment functioning.
- Stop the Puppet agent, MCollective, and PXP agent services.
puppet resource service puppet ensure=stopped puppet resource service pe-puppetserver ensure=stopped puppet resource service mcollective ensure=stopped puppet resource service pxp-agent ensure=stopped
- Delete the compile master's SSL directory. Run
rm -rf /etc/puppetlabs/puppet/ssl.
- Remove the compile master's cached catalog. Run
rm -f /opt/puppetlabs/puppet/cache/client_data/catalog/<CERT NAME>.json.
- Re-start the Puppet agent, MCollective, and pxp-agent services.
puppet resource service puppet ensure=running puppet resource service pe-puppetserver ensure=running puppet resource service mcollective ensure=running puppet resource service pxp-agent ensure=running
- Log into the MoM as
- On the MoM, sign the compile master's certificate request. Run
puppet cert --allow-dns-alt-names sign <compile master hostname>.
- Log into the compile master as
- Run Puppet. PE will perform a full catalog run, and the compile master will resume its role in your PE deployment.