I ran into this issue a few weeks ago, but only my CA cert was expired as my master certs were a few years newer than CA. There are a couple blog articles I found (lost URLs) that pieced together these steps to renew CA cert. For clients you just have to remove then re-download the CA cert once those are renewed. For renewing the master certs, it's same as client certs I believe where you delete the client cert from /etc/puppetlabs/puppet/ssl and then do something like "puppet cert clean ..." to remove expired cert from CA and then rerun Puppet on client to generate new cert then sign it with "puppet cert sign ...". The commands to clean / sign are different for Puppet 6 as they go through puppetserver, so my pseudo examples maybe wrong as I haven't used Puppet 5 in a while.
( openssl rsa -noout -modulus -in ca_key.pem 2> /dev/null | openssl md5 ; openssl x509 -noout -modulus -in ca_crt.pem 2> /dev/null | openssl md5 )
# Generate new CSR
openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem
cat > extension.cnf << EOF
basicConstraints = critical,CA:TRUE
nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
cp ca_crt.pem ca_crt.pem.old
openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out ca_crt.pem -extfile extension.cnf -extensions CA_extensions
openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity
chown puppet: ./*
cp -a ca/ca_crt.pem certs/ca.pem
/opt/puppetlabs/bin/puppet resource file /etc/puppetlabs/puppet/ssl/certs/ca.pem ensure=absent
/opt/puppetlabs/bin/puppet ssl download_cert