Regenerate Windows agent certificates to fix a compromised certificate or troubleshoot SSL errors on agents, or if you recreated your certificate authority.
Unless otherwise indicated, perform these steps on the Windows agent node that you're regenerating certificates for.
If you did not recreate your certificate
authority, you must log into your master and clear the cert for the agent
puppetserver ca clean --certname <CERTNAME>
On the agent, back up the
%PROGRAMDATA%/PuppetLabs/puppet/etc/ssldirectory.If something goes wrong, you might need to restore these directories so your deployment remains functional.
Stop the Puppet
agent and PXP agent services.
puppet resource service puppet ensure=stopped puppet resource service pxp-agent ensure=stopped
Using the administrator account, delete the agent SSL directory located at
Remove the agent's cached catalog. Use the Administrator confdir to delete
Re-start the Puppet
puppet resource service puppet ensure=runningAfter the agent starts, it automatically generates keys and request a new certificate from the Puppet CA.
If you aren't using autosigning, sign each agent
node's certificate request using the console's request manager, or from your
puppetserver ca list puppetserver ca sign --certname <NAME>Note: For more information about autosigning, see Autosigning certificate requests.
- From the console or command line, run Puppet on the node.