Regenerating expiring agent cert on the master host (not CA cert)
669 views
Skip to first unread message
Andy Smith
Nov 1, 2017, 1:32:55 PM11/1/17
to puppet...@googlegroups.com
Hi,
I've got a puppet environment that's been around for nearly 5 years
now, so I started getting warnings about certificate expiry:
Warning: Certificate 'Puppet CA: puppet0.example.com' will expire on 2017-12-30T02:36:41UTC
Warning: Certificate 'puppet0.example.com' will expire on 2017-12-30T02:36:42UTC
It's a very simple environment with only one puppetmaster, which is
puppet0.
So, I have the puppetlabs-certregen module and that took care of
renewing the CA certificate.
Now I only get:
Warning: Certificate 'puppet0.example.com' will expire on 2017-12-30T02:36:42UTC
on every host's agent run.
I note that certregen specifically says it's not designed to deal
with agent certificate renewal, so, what is the correct way to do
it when we're talking about the agent that is also the puppetmaster?
Searching around finds many suggestions of:
# rm -vr /var/lib/puppet/ssl
That doesn't seem appropriate for the host that's also the
puppetmaster.
I tried "puppet clean puppet0.example.com" in a test network but
afterwards puppet0 couldn't regenerate its own agent certificate
saying that it had been revoked, and neither could any other host's
agent connect any more.
What is actually the correct procedure when the host in question is
also a master host?
Cheers,
Andy
I've got a puppet environment that's been around for nearly 5 years
now, so I started getting warnings about certificate expiry:
Warning: Certificate 'Puppet CA: puppet0.example.com' will expire on 2017-12-30T02:36:41UTC
Warning: Certificate 'puppet0.example.com' will expire on 2017-12-30T02:36:42UTC
It's a very simple environment with only one puppetmaster, which is
puppet0.
So, I have the puppetlabs-certregen module and that took care of
renewing the CA certificate.
Now I only get:
Warning: Certificate 'puppet0.example.com' will expire on 2017-12-30T02:36:42UTC
on every host's agent run.
I note that certregen specifically says it's not designed to deal
with agent certificate renewal, so, what is the correct way to do
it when we're talking about the agent that is also the puppetmaster?
Searching around finds many suggestions of:
# rm -vr /var/lib/puppet/ssl
That doesn't seem appropriate for the host that's also the
puppetmaster.
I tried "puppet clean puppet0.example.com" in a test network but
afterwards puppet0 couldn't regenerate its own agent certificate
saying that it had been revoked, and neither could any other host's
agent connect any more.
What is actually the correct procedure when the host in question is
also a master host?
Cheers,
Andy
Andy Smith
Nov 2, 2017, 7:21:43 AM11/2/17
to puppet...@googlegroups.com
On Wed, Nov 01, 2017 at 05:32:32PM +0000, Andy Smith wrote:
> I note that certregen specifically says it's not designed to deal
> with agent certificate renewal, so, what is the correct way to do
> it when we're talking about the agent that is also the puppetmaster?
I did:
> I note that certregen specifically says it's not designed to deal
> with agent certificate renewal, so, what is the correct way to do
> it when we're talking about the agent that is also the puppetmaster?
# puppet cert clean puppet0.example.com
# rm -v /var/lib/puppet/ssl/ca/signed/puppet0.example.com.pem \
/var/lib/puppet/ssl/certs/puppet0.example.com.pem \
/var/lib/puppet/ssl/certificate_requests/puppet0.example.com.pem \
/var/lib/puppet/ssl/private_keys/puppet0.example.com.pem
then restarted nginx and unicorn then:
# puppet agent --test
and things seemed okay from the on.
Cheers,
Andy
Reply all
Reply to author
Forward
0 new messages