layout | title | subtitle | canonical |
---|---|---|---|
default |
PE 2015.2 » Security and SSL |
Regenerating Certs for the Puppet Master |
/pe/latest/regenerate_certs_master.html |
The major components of Puppet Enterprise (the Puppet master, PuppetDB, and PE console) contain SSL certificates and security credentials (private and public keys) that are generated by PE’s built-in certificate authority (CA). The following document provides instructions on regenerating the cert and security credentials for the Puppet master.
Regenerating certificates and security credentials for the Puppet master involves the following steps:
- Back up SSL directories on the Puppet master server.
- Shut down all PE-related services on the Puppet master.
- Clear the certs for the Puppet master.
- Remove the cached catalog.
- Regenerate the certs for the Puppet master.
- Restart all PE-related services on the Puppet master.
Important: This document applies to the certs and security credentials for the Puppet master server only. If you've experienced an unforeseen security vulnerability and need to regenerate all the certificates and security credentials in your infrastructure, refer to Regenerating Certs and Security Credentials in Split Puppet Enterprise Deployments for complete instructions.
This guide also applies to split installations only. On monolithic installs, PuppetDB shares an agent cert and security credentials with the Puppet master and the PE console. For a monolithic install, you must regenerate all certs and security credentials.
Finally, this document should not be used to regenerate certificates for LEI compile masters.
Notes and Warnings:
You must be logged in as a root, (or in the case of Windows agents, as an account with Administrator Privileges) to make these changes.
If you encounter any errors during steps that involve
service stop/start
,rm
,cp
, orchmod
commands, you should diagnose these before continuing, as the success each step is very important to the success of the next step.In the following instructions, when
<CERTNAME>
is used, it refers to the Puppet master's certname. To find this value, runpuppet config print certname
before starting.Unless otherwise indicated, all commands are run on the Puppet master server.
To clear and regenerate certs on your Puppet master:
-
Back up the
/etc/puppetlabs/puppet/ssl/
directory.If something goes wrong, you may need to restore these directories so your deployment can stay functional. However, if you needed to regenerate your certs for security reasons and couldn't, you should contact Puppet Labs support as soon as you restore service so we can help you secure your site.
-
Shut down all PE-related services with the following commands:
puppet resource service puppet ensure=stopped puppet resource service pe-puppetserver ensure=stopped puppet resource service pe-activemq ensure=stopped puppet resource service mcollective ensure=stopped
-
Clear the cert and security credentials for the Puppet master.
puppet cert clean <CERTNAME>
-
Remove the cached catalog.
rm -f /opt/puppetlabs/puppet/cache/client_data/catalog/<CERTNAME>.json
-
Generate the Puppet master's new certs.
puppet cert generate <CERTNAME> --dns_alt_names=<DNS_ALT_NAMES>
Note: Be sure to specify any dns alt names you have. You can find the list of your current dns alt names with
puppet cert list <CERTNAME>
. By default, PE usespuppet
andpuppet.domain
. -
Restart all PE-related services with the following commands:
puppet resource service puppet ensure=running puppet resource service pe-puppetserver ensure=running puppet resource service pe-activemq ensure=running puppet resource service mcollective ensure=running