If you encounter a security vulnerability, or need to change your certificates for some other reason (for example, if you have a hostname change), you can regenerate the certificate and security credentials (private and public keys) generated for the PE components.
On monolithic installs, the Puppet master shares an agent cert and security credentials with the PuppetDB and the console. For a monolithic install, you must regenerate all certs and security credentials, as documented in Regenerating certificates: monolithic installs.
The Puppet master
PuppetDB
The PE console
Regenerate Puppet master certs (split installs)
You can regenerate all certificates for the Puppet master server only, including the certificates and keys for associated services running on the Puppet master.
You must be logged in as a root, (or in the case of Windows agents, as an account with Administrator Privileges) to make these changes.
In the following instructions, when
<CERTNAME>
is used, it refers to the Puppet master's certname. To find this value, runpuppet config print certname
before starting.
On monolithic installs, the Puppet master shares an agent cert and security credentials with the PuppetDB and the console. For a monolithic install, you must regenerate all certs and security credentials, as documented in Regenerating certificates: monolithic installs.
This document should not be used to regenerate certificates for compile masters. Instead, refer to the compile master cert regen instructions.
If you encounter any errors during steps that involve service stop/start
, rm
, cp
, or chmod
commands,
diagnose these before continuing, as the success of each step is important to the
success of the next step.
Unless otherwise indicated, all commands are run on the Puppet master server.
Regenerate PuppetDB certs (split installs)
You can regenerate all certificates for the PuppetDB only, including the certificates and keys for associated services running on PuppetDB.
You must be logged in as a root, (or in the case of Windows agents, as an account with Administrator Privileges) to make these changes.
In the following instructions, when
<CERTNAME>
is used, it refers to the Puppet master's certname. To find this value, runpuppet config print certname
before starting.
On monolithic installs, the Puppet master shares an agent cert and security credentials with the PuppetDB and the console. For a monolithic install, you must regenerate all certs and security credentials, as documented in Regenerating certificates: monolithic installs.
If you encounter any errors during steps that involve service stop/start
, rm
, cp
, or chmod
commands,
diagnose these before continuing, as the success of each step is important to the
success of the next step.
Unless otherwise indicated, all commands are run on the PuppetDB server.
Regenerate PE console certs
You can regenerate all certificates for the console only, including the certificates and keys for associated services running on the console.
You must be logged in as a root, (or in the case of Windows agents, as an account with Administrator Privileges) to make these changes.
In the following instructions, when
<CERTNAME>
is used, it refers to the Puppet master's certname. To find this value, runpuppet config print certname
before starting.
On monolithic installs, the Puppet master shares an agent cert and security credentials with the PuppetDB and the console. For a monolithic install, you must regenerate all certs and security credentials, as documented in Regenerating certificates: monolithic installs.
If you encounter any errors during steps that involve service stop/start
, rm
, cp
, or chmod
commands,
diagnose these before continuing, as the success of each step is important to the
success of the next step.
Unless otherwise indicated, all commands are run on the console server.