Open source Puppet documentation

In some cases, you might need to regenerate the certificates and security credentials (private and public keys) that are generated by Puppet’s built-in PKI systems.

For example, you might have a Puppet master you need to move to a different network in your infrastructure, or you might have experienced a security vulnerability that makes existing credentials untrustworthy.

Note: There are other, more automated ways of doing this. We recommend using Bolt to regenerate certs when needed. See the Bolt documentation for more information. There is also a puppetlabs-certregen module but is not supported with Puppet Server 6.
Important: The information on this page describes the steps for regenerating certs in an open source Puppet deployment. If you use Puppet Enterprise do not use the information on this page, as it leaves you with an incomplete replacement and non-functional deployment. Instead, PE customers must refer to one of the following pages:
If your goal is to... Do this...
Regenerate an agent’s certificate

Clear and regenerate certs for Puppet agents

Fix a compromised or damaged certificate authority

Regenerate the CA and all certificates

Completely regenerate all Puppet deployment certificates

Regenerate the CA and all certificates

Add DNS alt-names or other certificate extensions to your existing Puppet master Regenerate the agent certificate of your Puppet master and add DNS alt-names or other certificates

Regenerate the agent certificate of your Puppet master and add DNS alt-names or other certificate extensions

This option preserves the master agent relationship and lets you add DNS alt-names or certificate extensions to your existing master.

  1. Revoke the Puppet master’s certificate and clean the CA files pertaining to it. Note that the agents won’t be able to connect to the master until all of the following steps are finished.
    puppetserver ca clean --certname <CERTNAME_OF_YOUR_MASTER>
  2. Remove the agent-specific copy of the public key, private key, and certificate-signing request  pertaining to the certificate:
    puppet ssl clean
  3. Stop the Puppet master service:
    puppet resource service puppetserver ensure=stopped
    Note: The CA and server run in the same master so this also stops the CA.
  4. After you’ve stopped the master and CA service, create a certificate signed by the CA and add DNS alt names (comma separated):
     puppetserver ca generate --certname <CERTNAME> --subject-alt-names <DNS ALT NAMES> --ca-client
    Note: If you don’t want to add DNS alt names to your master, omit the --subject-alt-names <DNS ALT NAMES> option from the command above.
  5. Restart the Puppet master service:
    puppet resource service puppetserver ensure=running

Regenerate the CA and all certificates

CAUTION: This process destroys the certificate authority and all other certificates. It is meant for use in the event of a total compromise of your site, or some other unusual circumstance. If you want to preserve the master agent relationship, regenerate the agent certificate of your Puppet master. If you just need to replace a few agent certificates, clear and regenerate certs for Puppet agents.

Step 1: Clear and regenerate certs on your Puppet master

On the Puppet master hosting the CA:

  1. Back up the SSL directory, which should be /etc/puppetlabs/puppet/ssl/. If something goes wrong, you can restore this directory so your deployment can stay functional. However, if you needed to regenerate your certs for security reasons and couldn’t, you should get some assistance as soon as possible so you can keep your site secure.
  2. Stop the agent service:
    sudo puppet resource service puppet ensure=stopped
    
  3. Stop the master service.
    For Puppet Server, run:
    sudo puppet resource service puppetserver ensure=stopped
  4. Delete the SSL directory:
    sudo rm -r /etc/puppetlabs/puppet/ssl
  5. Regenerate the CA and master's cert:
    sudo puppetserver ca setup

    You should see this message: Notice: Signed certificate request for ca.

  6. Start the Puppet master service by running:
    sudo puppet resource service puppetserver ensure=running
  7. Start the Puppet agent service by running this command:
    sudo puppet resource service puppet ensure=running
    
At this point:
  • You have a new CA certificate and key.

  • Your Puppet master has a certificate from the new CA, and it can field new certificate requests.

  • The Puppet master rejects any requests for configuration catalogs from nodes that haven’t replaced their certificates. At this point, it is all of them except itself.

  • When using any extensions that rely on Puppet certificates, like PuppetDB, the Puppet master won’t be able to communicate with them. Consequently, it might not be able to serve catalogs, even to agents that do have new certificates.

Step 2: Clear and regenerate certs for any extension

You might be using an extension, like PuppetDB or MCollective, to enhance Puppet. These extensions probably use certificates from Puppet’s CA in order to communicate securely with the Puppet master. For each extension like this, you’ll need to regenerate the certificates it uses.

Many tools have scripts or documentation to help you set up SSL, and you can often just re-run the setup instructions.

PuppetDB

PuppetDB users should first follow the instructions in Step 3: Clear and regenerate certs for agents, below, because PuppetDB re-uses Puppet agents’ certificates. After that, restart the PuppetDB service. See Redo SSL setup after changing certificates for more information.

Step 3: Clear and regenerate certs for Puppet agents

To replace the certs on agents, you’ll need to log into each agent node and do the following steps.

  1. Stop the agent service. On *nix:
    sudo puppet resource service puppet ensure=stopped
    On Windows, with Administrator privileges: 
    puppet resource service puppet ensure=stopped
  2. Locate Puppet’s SSL directory and delete its contents.

    The SSL directory can be determined by running puppet config print ssldir --section agent

  3. Restart the agent service. On *nix:
    sudo puppet resource service puppet ensure=running
    On Windows, with Administrator privileges:
    puppet resource service puppet ensure=running

    When the agent starts, it generates keys and requests a new certificate from the CA master.

  4. If you are not using autosigning, log in to the CA master server and sign each agent node’s certificate request.
    To view pending requests, run:
    sudo puppetserver ca list
    To sign requests, run:
    sudo puppetserver ca sign --certname <NAME>

    After an agent node’s new certificate is signed, it's retrieved within a few minutes and a Puppet run starts.

After you have regenerated all agents’ certificates, everything should be fully functional under the new CA.

Note: You can achieve the same results by turning these steps into Bolt tasks or plans. See the Bolt documentation for more information.
Back to top
The page rank or the 1 our of 5 rating a user has given the page.
The email address of the user submitting feedback.
The URL of the page being ranked/rated.