Regenerate certificates in split installations
Regenerating certificates and security credentials—both private and public keys—created by the built-in PE certificate authority can help ensure the security of your installation in certain cases.
If your goal is to... | Do this... |
---|---|
Upgrade to the intermediate certificate architecture introduced in Puppet 6.0. |
Complete these tasks in order:
|
Fix a compromised or damaged certificate authority. | |
Fix a compromised compile master certificate or troubleshoot SSL errors on compile masters. | Regenerate compile master certificates |
Fix a compromised agent certificate or troubleshoot SSL errors on agent nodes. | Regenerate agent certificates |
Specify a new DNS alt name or other trusted data. | Regenerate infrastructure certificates in a split installation |
Delete and recreate the certificate authority in a split installation
Recreate the certificate authority only if you're upgrading to the new certificate architecture introduced in Puppet 6.0, or if your certificate authority was compromised or damaged beyond repair.
Perform these steps logged in as root.
Regenerate compile master certificates
Regnerate compile master certificates to fix a compromised certificate or troubleshoot SSL errors on compile masters, or if you recreated your certificate authority.
Configure Puppet Server with allow-subject-alt-names
in the certificate-authority
section of ca.conf
.
PE performs a full catalog run, and the compile master resumes its role in your deployment.
Regenerate agent certificates
Regenerate agent certificates to fix a compromised certificate or troubleshoot SSL errors on agents, or if you recreated your certificate authority.
![]() |
As an alternative to performing these steps manually, on your master logged in as root, run You can specify this optional parameter:
The |
Unless otherwise indicated, perform these steps on the agent node that you're regenerating certificates for.
The agent performs a full catalog run, restarts the PXP agent service, and resumes its role in your PE deployment.
Regenerate infrastructure certificates in a split installation
Regenerate infrastructure certificates to specify a new DNS alt name or other trusted data.
Perform these steps logged in as root.
- Delete and recreate certificates on your master.
- Delete and recreate certificates on your database node.
- Remove the cached catalog:
rm -f /opt/puppetlabs/puppet/cache/client_data/catalog/<CERTNAME>.json
- Revoke the certificate:
puppetserver ca clean --certname <CERTNAME>
- Delete the certificate:
find /etc/puppetlabs/puppet/ssl -name <CERTNAME>.pem -delete
- Rebuild the certificate:
puppet infrastructure configure --no-recover
- Remove the cached catalog:
- Delete and recreate certificates on your console node, if applicable.
- Remove the cached catalog:
rm -f /opt/puppetlabs/puppet/cache/client_data/catalog/<CERTNAME>.json
- Revoke the certificate:
puppetserver ca clean --certname <CERTNAME>
- Delete the certificate:
find /etc/puppetlabs/puppet/ssl -name <CERTNAME>.pem -delete
- Rebuild the certificate:
puppet infrastructure configure --no-recover
- Remove the cached catalog:
- Run Puppet on your master, database node, and console, as applicable:
puppet agent -t