Network communications and security in Puppet Enterprise are based on HTTPS, which secures traffic using X.509 certificates. It includes its own CA tools, which you can use to regenerate certs as needed. In some cases, you may find that you need to regenerate the certificates and security credentials (private and public keys) generated by PE's built-in certificate authority (CA). For example, you may have a Puppet master that you need to move to a different network in your infrastructure, or you may find that you need to regenerate all the certificates and security credentials in your infrastructure due to an unforeseen security vulnerability.
Regenerate certificates in PE: monolithic installs
You can regenerate all certificates in a monolithic PE deployment, including the certificates and keys for the Puppet master, PuppetDB, console, and associated services.
You must be logged in as a root to make these changes.
In the following instructions, when
<CERTNAME>is used, it refers to the agent's certname. To find this value, run
puppet config print certnamebefore starting.
Regenerating your certificates will invalidate all existing authentication tokens. Once the regeneration process is complete, all PE users must generate new authentication tokens.
Regenerating certificates in a monolithic installation involves the following tasks:
- Back up certificate directories
- (Optional) Delete and recreate the Puppet certificate authority (CA)
- Regenerate the monolithic Puppet master certificates and configure PE
Back up certificate directories
If something goes wrong during the regeneration process, you may need to restore these directories so your deployment can stay functional. However, if you needed to regenerate your certs for security reasons and couldn't, you should contact Puppet support as soon as you restore service so we can help you secure your site.
(Optional) Delete and recreate the Puppet CA
If needed, you can delete and recreate the Puppet CA before regenerating the rest of your monolithic certificates.
Run the following commands on the Puppet master.
- Delete the CA and clear all certs from your master:
rm -rf /etc/puppetlabs/puppet/ssl/*
- Regenerate the CA:
puppet cert list -aYou should see this message:
Notice: Signed certificate request for ca
Regenerate the Puppet master certificates
In this step, you'll create the certificates for the Puppet master and then configure PE so the certificate is available to PE's components and services.
- Remove the Puppet master's cached catalog:
rm -f /opt/puppetlabs/puppet/cache/client_data/catalog/<CERTNAME>.json
- Clear the cert for the Puppet master:
puppet cert clean <CERTNAME>Note: This step is not necessary if you deleted and recreated the CA cert.
- Generate the certificates for PE services and update the configuration of PE:
puppet infrastructure configure --no-recoverNote: Be sure to specify any DNS alt names you have in the
/etc/puppetlabs/enterprise/conf.d/pe.conf. You can find the list of your current DNS alt names with
puppet cert list <CERTNAME>. By default, PE uses
- Run Puppet on the Puppet master:
puppet agent -tA successful Puppet run is necessary to ensure that PE's services are properly configured.