Regenerate certificates
Regenerating certificates and security credentials—both private and public keys—created by the built-in PE certificate authority can help ensure the security of your installation in certain cases.
If your goal is to... | Do this... |
---|---|
Upgrade to the intermediate certificate architecture introduced in Puppet 6.0. | Complete these tasks in order:
|
Fix a compromised or damaged certificate authority. | |
Fix a compromised compiler certificate or troubleshoot SSL errors on compilers. | Regenerate compiler certificates |
Fix a compromised agent certificate or troubleshoot SSL errors on agent nodes. | Regenerate *nix agent certificates or Regenerate Windows agent certificates |
Specify a new DNS alt name or other trusted data. | Regenerate master certificates |
Delete and recreate the certificate authority
Recreate the certificate authority only if you're upgrading to the new certificate architecture introduced in Puppet 6.0, or if your certificate authority was compromised or damaged beyond repair.
The
puppet infrastructure run
command leverages built-in Bolt plans to automate
certain management tasks. To use this command, you must be able to connect using SSH
from your master to any nodes that the command modifies. You can establish an SSH
connection using key forwarding, a local key file, or by specifying keys in .ssh/config
on your master. For more
information, see
Bolt OpenSSH configuration options.
To view all available parameters, use the --help
flag. The logs for all
puppet infrastructure run
Bolt plans are located at /var/log/puppetlabs/installer/bolt_info.log
.
puppet infrastructure run rebuild_certificate_authority
Regenerate compiler certificates
Regenerate compiler certificates to fix a compromised certificate or troubleshoot SSL errors on compilers, or if you recreated your certificate authority.
The
puppet infrastructure run
command leverages built-in Bolt plans to automate
certain management tasks. To use this command, you must be able to connect using SSH
from your master to any nodes that the command modifies. You can establish an SSH
connection using key forwarding, a local key file, or by specifying keys in .ssh/config
on your master. For more
information, see
Bolt OpenSSH configuration options.
To view all available parameters, use the --help
flag. The logs for all puppet infrastructure run
Bolt plans are located at /var/log/puppetlabs/installer/bolt_info.log
.
puppet infrastructure run regenerate_compiler_certificate target=<COMPILER_HOSTNAME>
-
dns_alt_names
– Comma-separated list of alternate DNS names to be added to the certificates generated for your agents.Important: To use thedns_alt_names
parameter, you must configure Puppet Server withallow-subject-alt-names
in thecertificate-authority
section ofca.conf
. To ensure naming consistency, if yourpuppet.conf
file includes adns_alt_names
entry, you must include thedns_alt_names
parameter and pass in all alt names included in the entry when regenerating your compiler certificates. -
tmpdir
— Path to a directory to use for uploading and executing temporary files.
/etc/puppetlabs/puppet/ssl_bak
, its certificate is
regenerated and signed, a Puppet run completes, and the
compiler resumes its role in your deployment. Regenerate *nix agent certificates
Regenerate *nix agent certificates to fix a compromised certificate or troubleshoot SSL errors on agents, or if you recreated your certificate authority.
The
puppet infrastructure run
command leverages built-in Bolt plans to automate
certain management tasks. To use this command, you must be able to connect using SSH
from your master to any nodes that the command modifies. You can establish an SSH
connection using key forwarding, a local key file, or by specifying keys in .ssh/config
on your master. For more
information, see
Bolt OpenSSH configuration options.
To view all available parameters, use the --help
flag. The logs for all
puppet infrastructure run
Bolt plans are located at /var/log/puppetlabs/installer/bolt_info.log
.
puppet infrastructure run regenerate_agent_certificate agent=<AGENT_HOSTNAME>
-
dns_alt_names
– Comma-separated list of alternate DNS names to be added to the certificates generated for your agents.Important: To use thedns_alt_names
parameter, you must configure Puppet Server withallow-subject-alt-names
in thecertificate-authority
section ofca.conf
. To ensure naming consistency, if yourpuppet.conf
file includes adns_alt_names
entry, you must include thedns_alt_names
parameter and pass in all alt names included in the entry when regenerating your agent certificates. -
tmpdir
— Path to a directory to use for uploading and executing temporary files.
puppet infrastructure run regenerate_agent_certificate agent=agent1.example.net,agent2.example.net,agent3.example.net
/etc/puppetlabs/puppet/ssl_bak
, its certificate is regenerated and signed,
a Puppet run completes, and the agent resumes its role in
your deployment. Regenerate Windows agent certificates
Regenerate Windows agent certificates to fix a compromised certificate or troubleshoot SSL errors on agents, or if you recreated your certificate authority.
Unless otherwise indicated, perform these steps on the Windows agent node that you're regenerating certificates for.
Regenerate master certificates
Regenerate master certificates to specify a new DNS alt name or other trusted data. This process regenerates the certificates for all primary infrastructure nodes, including external PE-PostgreSQL in extra-large installations.
The
puppet infrastructure run
command leverages built-in Bolt plans to automate
certain management tasks. To use this command, you must be able to connect using SSH
from your master to any nodes that the command modifies. You can establish an SSH
connection using key forwarding, a local key file, or by specifying keys in .ssh/config
on your master. For more
information, see
Bolt OpenSSH configuration options.
To view all available parameters, use the --help
flag. The logs for all
puppet infrastructure run
Bolt plans are located at /var/log/puppetlabs/installer/bolt_info.log
.
puppet infrastructure run regenerate_master_certificate
-
dns_alt_names
– Comma-separated list of alternate DNS names to be added to the certificates generated for your master.Important: To use thedns_alt_names
parameter, you must configure Puppet Server withallow-subject-alt-names
in thecertificate-authority
section ofca.conf
. To ensure naming consistency, if yourpuppet.conf
file includes adns_alt_names
entry, you must include thedns_alt_names
parameter and pass in all alt names included in the entry when regenerating your master certificate. -
tmpdir
— Path to a directory to use for uploading and executing temporary files.
Regenerate replica certificates
Regenerate master replica certificates for your high availability installation to specify a new DNS alt name or other trusted data.
The
puppet infrastructure run
command leverages built-in Bolt plans to automate
certain management tasks. To use this command, you must be able to connect using SSH
from your master to any nodes that the command modifies. You can establish an SSH
connection using key forwarding, a local key file, or by specifying keys in .ssh/config
on your master. For more
information, see
Bolt OpenSSH configuration options.
To view all available parameters, use the --help
flag. The logs for all
puppet infrastructure run
Bolt plans are located at /var/log/puppetlabs/installer/bolt_info.log
.
puppet infrastructure run regenerate_replica_certificate target=<REPLICA_HOSTNAME>
-
dns_alt_names
– Comma-separated list of alternate DNS names to be added to the certificates generated for your master.Important: To use thedns_alt_names
parameter, you must configure Puppet Server withallow-subject-alt-names
in thecertificate-authority
section ofca.conf
. If yourpuppet.conf
file includes adns_alt_names
entry, you must include thedns_alt_names
parameter and pass in all alt names included in the entry when regenerating your replica certificate. -
tmpdir
— Path to a directory to use for uploading and executing temporary files.
/etc/puppetlabs/puppet/ssl_bak
, its
certificate is regenerated and signed, a Puppet run
completes, and the replica resumes its role in your deployment.