Cool thanks. That is actually the process I had setup in our lab but the difference is the puppet masters certs weren't expiring. I'm using puppetlabs-certregen to extend the CA cert instead of the manual steps you provided. A relief that I'm pretty much going to follow the same route you did. Thanks.
On Tuesday, July 13, 2021 at 10:16:41 AM UTC-4 treydock wrote: > I ran into this issue a few weeks ago, but only my CA cert was expired as > my master certs were a few years newer than CA. There are a couple blog > articles I found (lost URLs) that pieced together these steps to renew CA > cert. For clients you just have to remove then re-download the CA cert once > those are renewed. For renewing the master certs, it's same as client > certs I believe where you delete the client cert from > /etc/puppetlabs/puppet/ssl and then do something like "puppet cert clean > ..." to remove expired cert from CA and then rerun Puppet on client to > generate new cert then sign it with "puppet cert sign ...". The commands to > clean / sign are different for Puppet 6 as they go through puppetserver, so > my pseudo examples maybe wrong as I haven't used Puppet 5 in a while. > > # Verify > cd /etc/puppetlabs/puppet/ssl/ca > ( openssl rsa -noout -modulus -in ca_key.pem 2> /dev/null | openssl md5 > ; openssl x509 -noout -modulus -in ca_crt.pem 2> /dev/null | openssl md5 ) > > # Generate new CSR > openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem > > # Sign > cat > extension.cnf << EOF > [CA_extensions] > basicConstraints = critical,CA:TRUE > nsComment = "Puppet Ruby/OpenSSL Internal Certificate" > keyUsage = critical,keyCertSign,cRLSign > subjectKeyIdentifier = hash > EOF > cp ca_crt.pem ca_crt.pem.old > openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out > ca_crt.pem -extfile extension.cnf -extensions CA_extensions > openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity > chown puppet: ./* > cd /etc/puppetlabs/puppet/ssl > cp -a ca/ca_crt.pem certs/ca.pem > > # CLIENTS > > /opt/puppetlabs/bin/puppet resource file > /etc/puppetlabs/puppet/ssl/certs/ca.pem ensure=absent > /opt/puppetlabs/bin/puppet ssl download_cert > > On Monday, July 12, 2021 at 9:40:24 AM UTC-4 [email protected] wrote: > >> Version: Puppet 5.5 >> >> We have an open source puppet environment which has been up for almost 5 >> years and certs are about to expire. We are running 5.5. I know it's an >> older version but we are sunsetting puppet by year end. >> >> Setup: >> PuppetCA Server >> Pupper Master Server 1 >> Puppet Master Server 2 >> Puppet Master Server 3 >> Puppet Master Server 4 >> PuppetDB Server >> >> The 4 master serves are load balanced using an F5 and DNS name. >> >> I have read many different solutions for this issue and was wondering if >> someone has a step-by-step process to renew not only the CA cert but also >> the puppet master server certs. >> >> I'll be using certregen to deal with the CA certificate but I'm not sure >> when I should clean the puppet master servers cert which also needs a >> dns_alt_names parm (I believe that goes in the master section of >> puppet.conf) and then run puppet agent -t command to create a new puppet >> master server cert. >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/40d31ae0-53bc-4c6a-ba7f-694358523bc4n%40googlegroups.com.
