Puppet CA/puppetmasterd cert renewal

While we’re still converting our puppet controlled infra to Ansible, we still have some nodes “controlled” by puppet, as converting some roles isn’t something that can be done in just one or two days. Add to that other items in your backlog that all have priority set to #1 and then time is flying, until you realize this for your existing legacy puppet environment (assuming false FQDN here, but you’ll get the idea):

So, as long as your PKI setup for puppet is still valid, you can act in advance, resign/extend CA and puppetmasterd and distribute newer CA certs to agents, and go forward with other items in your backlog, while still converting from puppet to Ansible (at least for us)


Before anything else, (in case you don’t backup this, but you should), let’s take a backup on the Puppet CA (in our case, it’s a Foreman driven puppetmasterd, so foreman host is where all this will happen, YMMV)

CA itself

We first need to regenerate the CSR for the CA cert, and sign it again Ideally we confirm that the ca_key.pem and the existing ca_crt.pem “matches” through modulus (should be equals)

As it’s the case, we can now Regenerate from that private key and existing crt a CSR

Now that we have the CSR for CA, we need to sign it again, but we have to add extensions

And now archive old CA crt and sign (new) extended one

Puppetmasterd server

We have also to regen the CSR from the existing cert (assuming our fqdn for our cert is correctly also the currently set hostname)

Now that we have CSR, we can sign with new CA

Validating that puppetmasted key and new certs are matching (so crt and private keys are ok)

It seems all good, so let’s restart puppetmasterd/httpd (foremand launches puppetmasterd for us)

Puppet agents

From this point, puppet agents will not complain about the puppetmasterd cert, but still about the fact that CA itself will expire soon :

But as we have now the new ca_crt.pem at the puppetmasterd/foreman side, we can just distribute it on clients (through puppet or ansible or whatever) and then it will continue to work

And now distribute the new ca_crt.pem as ca.pem here

puppet snippet for this (in our puppet::agent class)

Next time you’ll “puppet agent -t” or that puppet will contact puppetmasterd, it will apply the new cert on and on next call, no warning, issue anymore

Hope it helps

Author: stratus

Laisser un commentaire