Generate a custom Diffie-Hellman parameter file

This version is out of date. For current versions, see Puppet Enterprise support lifecycle.
This release is no longer generally available due to an issue with upgrade
Sections

The "Logjam Attack" (CVE-2015-4000) exposed several weaknesses in the Diffie-Hellman (DH) key exchange. To help mitigate the "Logjam Attack," PE ships with a pre-generated 2048 bit Diffie-Hellman param file. In the case that you don't want to use the default DH param file, you can generate your own.

Note: In the following procedure, <PROXY-CUSTOM-dhparam>.pem can be replaced with any file name, except dhparam_puppetproxy.pem, as this is the default file name used by PE.
  1. On the console node, (for a mono install, this is the same node as a the Puppet master), run the following command:
    /opt/puppetlabs/puppet/bin/openssl dhparam -out /etc/puppetlabs/nginx/<PROXY-CUSTOM-dhparam>.pem 2048
    		   
    Note: After running this command, PE can take several minutes to complete this step.
  2. On the master, open your pe.conf file (located at /etc/puppetlabs/enterprise/conf.d/pe.conf) and add the following parameter and value:
    "puppet_enterprise::profile::console::proxy::dhparam_file": "/etc/puppetlabs/nginx/<PROXY-CUSTOM-dhparam>.pem"
    
  3. On the console node, run Puppet: puppet agent -t.
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.