Regenerating certificates and security credentials—both private and public keys—created by the built-in PE certificate authority can help ensure the security of your installation in certain cases.
If your goal is to... | Do this... |
---|---|
Upgrade to the intermediate certificate architecture introduced in Puppet 6.0. | Complete these tasks in order: |
Fix a compromised or damaged certificate authority. | |
Fix a compromised compiler certificate or troubleshoot SSL errors on compilers. | Regenerate compiler certificates |
Fix a compromised agent certificate or troubleshoot SSL errors on agent nodes. | Regenerate agent certificates |
Specify a new DNS alt name or other trusted data. | Regenerate master certificates |
Delete and recreate the certificate authority
Recreate the certificate authority only if you're upgrading to the new certificate architecture introduced in Puppet 6.0, or if your certificate authority was compromised or damaged beyond repair.
The
puppet infrastructure run
command leverages built-in Bolt
plans to automate certain management tasks. To use this command, you must be able to
connect using SSH from your master to any nodes that the command modifies. You can
establish an SSH connection using key forwarding, a local key file, or by specifying
keys in .ssh/config
on your master.
For more information, see
Bolt OpenSSH configuration
options.
To view all available parameters, use the --help
flag. The logs for all
puppet infrastructure run
Bolt plans are located at /var/log/puppetlabs/installer/bolt_info.log
.
-
For PE 2019.1.3 and later versions:
puppet infrastructure run rebuild_certificate_authority
-
For PE 2019.1.1 and earlier versions:
puppet infrastructure run rebuild_certificate_authority caserver=<CA_SERVER_HOSTNAME>
caserver=localhost
. Running the command with localhost
avoids the
requirement to set up SSH between your master and itself. tmpdir
— Path to a directory to use for uploading and executing temporary files.
Regenerate compiler certificates
Regnerate compiler certificates to fix a compromised certificate or troubleshoot SSL errors on compilers, or if you recreated your certificate authority.
Configure Puppet Server
with allow-subject-alt-names
in the certificate-authority
section
of ca.conf
.
PE performs a full catalog run, and the compiler resumes its role in your deployment.
Regenerate agent certificates
Regenerate agent certificates to fix a compromised certificate or troubleshoot SSL errors on agents, or if you recreated your certificate authority.
The
puppet infrastructure run
command leverages built-in Bolt
plans to automate certain management tasks. To use this command, you must be able to
connect using SSH from your master to any nodes that the command modifies. You can
establish an SSH connection using key forwarding, a local key file, or by specifying
keys in .ssh/config
on your master.
For more information, see
Bolt OpenSSH configuration
options.
To view all available parameters, use the --help
flag. The logs for all
puppet infrastructure run
Bolt plans are located at /var/log/puppetlabs/installer/bolt_info.log
.
puppet infrastructure run regenerate_agent_certificate agent=<AGENT_HOSTNAME>
dns_alt_names
– Comma-separated list of alternate DNS names to be added to the certificates generated for your agents.Important: To use thedns_alt_names
parameter, you must configure Puppet Server withallow-subject-alt-names
in thecertificate-authority
section ofca.conf
. To ensure naming consistency, if yourpuppet.conf
file includes adns_alt_names
entry, you must include thedns_alt_names
parameter and pass in all alt names included in the entry when regenerating your agent certificates.tmpdir
— Path to a directory to use for uploading and executing temporary files.
puppet infrastructure run regenerate_agent_certificate agent=agent1.example.net,agent2.example.net,agent3.example.net
/etc/puppetlabs/puppet/ssl_bak
, its
certificate is regenerated and signed, a Puppet run completes, and the agent resumes its role in
your deployment. Regenerate master certificates
Regenerate master certificates to specify a new DNS alt name or other trusted data.
The
puppet infrastructure run
command leverages built-in Bolt
plans to automate certain management tasks. To use this command, you must be able to
connect using SSH from your master to any nodes that the command modifies. You can
establish an SSH connection using key forwarding, a local key file, or by specifying
keys in .ssh/config
on your master.
For more information, see
Bolt OpenSSH configuration
options.
To view all available parameters, use the --help
flag. The logs for all
puppet infrastructure run
Bolt plans are located at /var/log/puppetlabs/installer/bolt_info.log
.
puppet infrastructure run regenerate_master_certificate
dns_alt_names
– Comma-separated list of alternate DNS names to be added to the certificates generated for your master.Important: To use thedns_alt_names
parameter, you must configure Puppet Server withallow-subject-alt-names
in thecertificate-authority
section ofca.conf
. To ensure naming consistency, if yourpuppet.conf
file includes adns_alt_names
entry, you must include thedns_alt_names
parameter and pass in all alt names included in the entry when regenerating your master certificate.tmpdir
— Path to a directory to use for uploading and executing temporary files.