Regenerating all certificates in a Puppet deployment
Sections
In some cases, you might need to regenerate the certificates and security credentials (private and public keys) that are generated by Puppet’s built-in certificate authority (CA).
For example, you might have a Puppet master you need to move to a different network in your infrastructure, or you might have experienced a security vulnerability that makes existing credentials untrustworthy.
On your master, you’ll clear the certs and security credentials, regenerate the CA, and then regenerate the certs and security credentials.
You’ll clear and regenerate certs and security credentials for any extensions.
You'll clear and regenerate certs and security credentials for all agent nodes.
puppet cert clean
command on
your Puppet master and then
follow step 3 for any agents that need to be replaced.Step 1: Clear and regenerate certs on your Puppet master
On the Puppet master hosting the CA:
-
You have a new CA certificate and key.
-
Your Puppet master has a certificate from the new CA, and it can field new certificate requests.
-
The Puppet master rejects any requests for configuration catalogs from nodes that haven’t replaced their certificates. At this point, it is all of them except itself.
-
When using any extensions that rely on Puppet certificates, like PuppetDB, the Puppet master won’t be able to communicate with them. Consequently, it might not be able to serve catalogs, even to agents that do have new certificates.
Step 2: Clear and regenerate certs for any extension
You might be using an extension, like PuppetDB or MCollective, to enhance Puppet. These extensions probably use certificates from Puppet’s CA in order to communicate securely with the Puppet master. For each extension like this, you’ll need to regenerate the certificates it uses.
Many tools have scripts or documentation to help you set up SSL, and you can often just re-run the setup instructions.
PuppetDB
We recommend PuppetDB users first follow the instructions in Step 3: Clear and regenerate certs for agents, below, because PuppetDB re-uses Puppet agents’ certificates. After that, restart the PuppetDB service. See Redo SSL setup after changing certificates for more information.
MCollective
MCollective often uses SSL certificates from Puppet’s CA. If you are replacing your Puppet CA and are using the same certs for MCollective, refer to the standard deployment guide and re-do any steps involving security credentials. You’ll generally need to replace client certificates, your server keypair, and the ActiveMQ server’s keystore and truststore.
Step 3: Clear and regenerate certs for Puppet agents
To replace the certs on agents, you’ll need to log into each agent node and do the following steps.
After you have regenerated all agents’ certificates, everything will be fully functional under the new CA.