In some cases, you may find that you need to regenerate the SSL certificates and security credentials (private and public keys) that are generated by PE's built-in certificate authority (CA). For example, you may have a Puppet master you need to move to a different network in your infrastructure, or you may find you need to regenerate all the certificates and security credentials in your infrastructure due to an unforeseen security vulnerability.
Regenerate certificates in PE: split installs
You can regenerate all certificates in a split PE deployment including the certificates and keys for the Puppet master, PuppetDB, console, and associated services.
You must be logged in as a root to make these changes.
In the following instructions, when
<CERTNAME>
is used, it refers to the agent's certname on each node. To find this value, runpuppet config print certname
before starting.
Regenerating your certificates will invalidate all existing authentication tokens. Once the regeneration process is complete, all PE users must generate new authentication tokens.
Regenerating your certificates involves the following tasks:
- Back up certificate directories
- (Optional) Delete and recreate the Puppet certificate authority (CA)
- Regenerate the Puppet master, console, and PuppetDB certificates
- Configure PE
Back up certificate directories
If something goes wrong during the regeneration process, you may need to restore these directories so your deployment can stay functional. However, if you needed to regenerate your certs for security reasons and couldn't, you should contact Puppet support as soon as you restore service so we can help you secure your site.
(Optional) Delete and recreate the Puppet CA
If needed, you can delete and recreate the Puppet CA before regenerating the rest of your monolithic certificates.
Run the following commands on the Puppet master.
Regenerate the Puppet master certificates
In this step, you'll create the certificates for the split Puppet master.
Run the following commands on the Puppet master.
Clear the PuppetDB certificates
In this step, you clear the PuppetDB certificate.
- Remove PuppetDB's cached catalog. On the PuppetDB node, run:
rm -f /opt/puppetlabs/puppet/cache/client_data/catalog/<CERTNAME>.json
- Clear the cert for the PuppetDB node. On the Puppet master, run:
puppet cert clean <CERTNAME>
- Remove the certificates. On the PuppetDB node, run:
rm -f /etc/puppetlabs/puppet/ssl/*/<CERTNAME>.pem
Clear the PE console certificates
In this step, you clear the console certificate.
- Remove the console's cached catalog. On the console node, run:
rm -f /opt/puppetlabs/puppet/cache/client_data/catalog/<CERTNAME>.json
- Clear the cert for the console node. On the Puppet master, run:
puppet cert clean <CERTNAME>
- Remove the certificates. On the console node, run:
rm -f /etc/puppetlabs/puppet/ssl/*/<CERTNAME>.pem
Update the configuration of PE
In this step, you configure PE to generate new certificates for the component nodes and update PE's configuration.