Cool thanks. That is actually the process I had setup in our lab but the difference is the puppet masters certs weren't expiring. I'm using puppetlabs-certregen to extend the CA cert instead of the manual steps you provided. A relief that I'm pretty much going to follow the same route you did. Thanks.
On Tuesday, July 13, 2021 at 10:16:41 AM UTC-4 treydock wrote: > I ran into this issue a few weeks ago, but only my CA cert was expired as > my master certs were a few years newer than CA. There are a couple blog > articles I found (lost URLs) that pieced together these steps to renew CA > cert. For clients you just have to remove then re-download the CA cert once > those are renewed. For renewing the master certs, it's same as client > certs I believe where you delete the client cert from > /etc/puppetlabs/puppet/ssl and then do something like "puppet cert clean > ..." to remove expired cert from CA and then rerun Puppet on client to > generate new cert then sign it with "puppet cert sign ...". The commands to > clean / sign are different for Puppet 6 as they go through puppetserver, so > my pseudo examples maybe wrong as I haven't used Puppet 5 in a while. > > # Verify > cd /etc/puppetlabs/puppet/ssl/ca > ( openssl rsa -noout -modulus -in ca_key.pem 2> /dev/null | openssl md5 > ; openssl x509 -noout -modulus -in ca_crt.pem 2> /dev/null | openssl md5 ) > > # Generate new CSR > openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem > > # Sign > cat > extension.cnf << EOF > [CA_extensions] > basicConstraints = critical,CA:TRUE > nsComment = "Puppet Ruby/OpenSSL Internal Certificate" > keyUsage = critical,keyCertSign,cRLSign > subjectKeyIdentifier = hash > EOF > cp ca_crt.pem ca_crt.pem.old > openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out > ca_crt.pem -extfile extension.cnf -extensions CA_extensions > openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity > chown puppet: ./* > cd /etc/puppetlabs/puppet/ssl > cp -a ca/ca_crt.pem certs/ca.pem > > # CLIENTS > > /opt/puppetlabs/bin/puppet resource file > /etc/puppetlabs/puppet/ssl/certs/ca.pem ensure=absent > /opt/puppetlabs/bin/puppet ssl download_cert > > On Monday, July 12, 2021 at 9:40:24 AM UTC-4 pkraw...@gmail.com wrote: > >> Version: Puppet 5.5 >> >> We have an open source puppet environment which has been up for almost 5 >> years and certs are about to expire. We are running 5.5. I know it's an >> older version but we are sunsetting puppet by year end. >> >> Setup: >> PuppetCA Server >> Pupper Master Server 1 >> Puppet Master Server 2 >> Puppet Master Server 3 >> Puppet Master Server 4 >> PuppetDB Server >> >> The 4 master serves are load balanced using an F5 and DNS name. >> >> I have read many different solutions for this issue and was wondering if >> someone has a step-by-step process to renew not only the CA cert but also >> the puppet master server certs. >> >> I'll be using certregen to deal with the CA certificate but I'm not sure >> when I should clean the puppet master servers cert which also needs a >> dns_alt_names parm (I believe that goes in the master section of >> puppet.conf) and then run puppet agent -t command to create a new puppet >> master server cert. >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/40d31ae0-53bc-4c6a-ba7f-694358523bc4n%40googlegroups.com.
