Puppet Enterprise 2018.1
- Welcome to Puppet Enterprise® 2018.1.8
- Release notes
- New features
- Enhancements
- Deprecations and removals
- Known issues
- Installation and upgrade known issues
- High availability known issues
- PuppetDB and PostgreSQL known issues
- Puppet Server known issues
- Puppet and Puppet services known issues
- Supported platforms known issues
- Configuration and maintenance known issues
- Console and console services known issues
- Orchestration services known issues
- Permissions known issues
- SSL and certificate known issues
- Code management known issues
- Razor known issues
- Internationalization known issues
- Resolved issues
- What's new since PE 2016.4
- Getting started
- Installing
- Choosing an architecture
- System requirements
- What gets installed and where?
- Installing Puppet Enterprise
- Purchasing and installing a license key
- Installing agents
- Installing network device agents
- Installing compile masters
- Installing ActiveMQ hubs and spokes
- Installing PE client tools
- Enabling the PE tools repository
- Installing external PostgreSQL
- Uninstalling
- Upgrading
- Configuring Puppet Enterprise
- Configuring and tuning your Puppet Enterprise infrastructure
- Configuring and tuning Puppet Server
- Configuring and tuning the console
- Configuring and tuning PuppetDB
- Configuring and tuning orchestration
- Configuring proxies
- Configuring Java arguments for Puppet Enterprise
- Configuring ulimit for PE services
- Tuning monolithic installations
- Writing configuration files
- Analytics data collection
- Static catalogs in Puppet Enterprise
- Configuring high availability
- Accessing the console
- Managing access
- Inspecting your infrastructure
- Managing nodes
- Adding and removing nodes
- Running Puppet on nodes
- Grouping and classifying nodes
- Making changes to node groups
- Environment-based testing
- Preconfigured node groups
- Designing system configs: roles and profiles
- Node classifier service API
- Forming node classifier requests
- Groups endpoint
- Classes endpoint
- Classification endpoint
- Commands endpoint
- Environments endpoint
- Nodes check-in history endpoint
- Group children endpoint
- Rules endpoint
- Import hierarchy endpoint
- Last class update endpoint
- Update classes endpoint
- Validation endpoints
- Node classifier errors
- Managing applications
- Orchestrating Puppet and tasks
- Running jobs with Puppet orchestrator
- Configuring Puppet orchestrator
- Using Bolt
- Direct Puppet: a workflow for controlling change
- Running Puppet on demand
- Running tasks
- Writing tasks
- Reviewing jobs
- Puppet orchestrator API v1 endpoints
- Puppet orchestrator API: forming requests
- Puppet orchestrator API: command endpoint
- Puppet orchestrator API: events endpoint
- Puppet orchestrator API: inventory endpoint
- Puppet orchestrator API: jobs endpoint
- Puppet orchestrator API: scheduled jobs endpoint
- Puppet orchestrator API: plan jobs endpoint
- Puppet orchestrator API: tasks endpoint
- Puppet orchestrator API: root endpoint
- Puppet orchestrator API: error responses
- Managing and deploying Puppet code
- Provisioning with Razor
- SSL and certificates
- Regenerating certificates: monolithic installs
- Regenerating certificates: split installs
- Individual PE component cert regeneration (split installs only)
- Regenerate Puppet agent certificates
- Regenerate compile master certs
- Use the PE CA as an intermediate CA
- Use a custom SSL certificate for the console
- Change the hostname of a monolithic master
- Generate a custom Diffie-Hellman parameter file
- Disable TLSv1 in PE
- Managing MCollective
- Maintenance
- Troubleshooting
From time to time, you might encounter a situation in which you need to regenerate a certificate for an agent. Perhaps there is a security vulnerability in your infrastructure that you can remediate with a certificate regeneration, or maybe you're receiving SSL errors on your agent that are preventing you from performing normal operations.
 | As an alternative to performing these steps manually, on your master logged in as root, run puppet infrastructure run regenerate_agent_certificate agent=<AGENT_HOSTNAME> caserver=<CA_SERVER_HOSTNAME>. Your CA server is usually your master. The |
Unless otherwise indicated, the following steps should be performed on your agent node.
- On the Puppet master, clear the cert for the agent node. Run
puppet cert clean <CERTNAME>. - Back up the
/etc/puppetlabs/puppet/ssl/directory.If something goes wrong, you may need to restore these directories so your deployment can stay functional. However, if you needed to regenerate your certs for security reasons and couldn't, you should contact Puppet support as soon as you restore service so we can help you secure your site. - Stop the Puppet agent, MCollective, and PXP agent services.
puppet resource service puppet ensure=stopped puppet resource service mcollective ensure=stopped puppet resource service pxp-agent ensure=stopped - Delete the agent's SSL directory.
- On *nix nodes, run
rm -rf /etc/puppetlabs/puppet/ssl - On Windows nodes, delete the
$confdir\ssldirectory, using the Administrator confdir.
- On *nix nodes, run
- Remove the agent's cached catalog.
- On *nix nodes, run
rm -f /opt/puppetlabs/puppet/cache/client_data/catalog/<CERTNAME>.json - On Windows nodes, delete the
$client_datadir\catalog\<CERTNAME>.jsonfile, using the Administrator confdir.
- On *nix nodes, run
- Re-start the Puppet agent and MCollective services.
puppet resource service puppet ensure=running puppet resource service mcollective ensure=runningAfter the agent starts, it will automatically generate keys and request a new certificate from the CA Puppet master. - If you are not using autosigning, you will need to sign each agent node's certificate request. You can do this with the console's request manager, or by logging into the CA Puppet master server, running
puppet cert list puppet cert sign <NAME>After the agent node’s certificate is signed, you can either manually kick off a Puppet run from the console or command line, or wait for the agent to run based on the runinterval, the default of which is 30 minutes. At this point, the agent will perform a full catalog run, restart the PXP agent service, and will resume its role in your PE deployment.Tip: For information about autosigning, see Autosigning certificate requests.