If the key and the certificate don't match, you may have to regenerate your puppetserver's CA and start from scratch essentially. I'm not aware of a way to fix a mismatch without totally starting over from scratch. If you want to start from scratch, you usually just delete /etc/puppetlabs/puppet/ssl on puppetserver (or move to like /tmp or something) and restart daemon and puppetserver should regenerate everything.
On Friday, October 15, 2021 at 12:57:23 PM UTC-4 puppet-bsd wrote: > Performed the Verify steps. Seems the values are not equal. Is there any > steps in order to make the values equal? > > > On Friday, October 15, 2021 at 9:34:11 AM UTC-4 treydock wrote: > >> My advise might not be the best but it's what worked for me when our >> master CA certificate expired. These are my raw notes from when I had to >> renew our puppetserver certificate. The original certificate was likely >> Puppet 4 and expired when running Puppet 6. I googled around and took some >> steps from various blog posts I found so most of this isn't my original >> ideas: >> >> # Verify >> cd /etc/puppetlabs/puppet/ssl/ca >> ( openssl rsa -noout -modulus -in ca_key.pem 2> /dev/null | openssl md5 >> ; openssl x509 -noout -modulus -in ca_crt.pem 2> /dev/null | openssl md5 ) >> >> # Generate new CSR >> openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out >> ca_csr.pem >> >> # Sign >> cat > extension.cnf << EOF >> [CA_extensions] >> basicConstraints = critical,CA:TRUE >> nsComment = "Puppet Ruby/OpenSSL Internal Certificate" >> keyUsage = critical,keyCertSign,cRLSign >> subjectKeyIdentifier = hash >> EOF >> cp ca_crt.pem ca_crt.pem.old >> openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out >> ca_crt.pem -extfile extension.cnf -extensions CA_extensions >> openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity >> chown puppet: ./* >> cd /etc/puppetlabs/puppet/ssl >> cp -a ca/ca_crt.pem certs/ca.pem >> >> # CLIENTS >> >> /opt/puppetlabs/bin/puppet resource file >> /etc/puppetlabs/puppet/ssl/certs/ca.pem ensure=absent >> /opt/puppetlabs/bin/puppet ssl download_cert >> systemctl restart choria-server >> >> For expired client certs, when that happens to me I will do "rm -rf >> /etc/puppetlabs/puppet/ssl" on the agent (never master) and then run Puppet >> which will request new cert then sign the cert and run Puppet again. That >> process is rather tedious and not something I've automated really well but >> also not something I have had happen frequently as we don't tend to keep >> servers around for 5+ years. >> >> On Thursday, October 14, 2021 at 4:09:14 PM UTC-4 puppet-bsd wrote: >> >>> Hi all, >>> >>> I'm new in puppet. >>> >>> I'm currently using puppet 4.10 >>> >>> Long story short, puppet certificates were expired and by this time, I >>> am renewing these certificates one node at the time (including the >>> puppetmaster). >>> >>> Once the puppetmaster got "renewed" , I tried to create a node >>> successfully but its first run of puppet agent -t got unsuccessful due to >>> its related smart proxy server certificate for revoked. Performed a >>> certificate renewal for the proxy and the new agent now runs fine. >>> >>> However, it always happens everytime I create a new node. In the past, I >>> don't have to renew proxy certificates. That means that there is >>> something/somewhere in puppetmaster that isn't caught up in terms of >>> certificates. >>> >>> One try I made is to regenerate a new CA certificate but seems it isn't >>> successful for the early described issue. >>> >>> Can anyone please point how to fix the certificate at the puppetmaster >>> level? >>> >>> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d826e9e4-64d3-46a1-83b4-46dabf4a411bn%40googlegroups.com.
