How to renew Puppet CA certificate

Renew Puppet CA Certification
10Aug

How to renew Puppet CA certificate

By Sysbee Blog , 0 Comments

We’ve written about Puppet a couple of times before, but this time we’ll cover the topic of renewing Puppet CA certificate. While the official documentation recommends regenerating the Puppet CA and re-issueing certificates for all Puppet agents, in some cases that’s not neccessary nor convenient. In this post, we’ll explain how you can renew Puppet CA certificate, without the need to re-sign all Puppet agent certificates.

In our scenario, Puppet Server is working in tandem with PuppetDB and Foreman. Therefore, beside renewing Puppet CA, we’ll also renew client certificate that’s used by Puppet agent, PuppetDB, and Foreman (all running on the same server as Puppet Server). Don’t worry, the procedure is the same even if you’re not using PuppetDB and Foreman.

First things first. Let’s backup existing SSL configuration.

mkdir -p /root/puppet-ssl-backup/{puppet,puppetserver,puppetdb}
cp -prv /etc/puppetlabs/puppet/ssl/ /root/puppet-ssl-backup/puppet/
cp -prv /etc/puppetlabs/puppetserver/ca/ /root/puppet-ssl-backup/puppetserver/
cp -prv /etc/puppetlabs/puppetdb/ssl/ /root/puppet-ssl-backup/puppetdb/

Next, let’s note the serial number of the current CA certificate.

openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -noout -serial

We can now generate new CA CSR (certificate signing request) using existing CA details and private key.

openssl x509 -x509toreq -in /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -signkey /etc/puppetlabs/puppet/ssl/ca/ca_key.pem -out /etc/puppetlabs/puppet/ssl/ca/ca_csr.pem

Before generating the new CA, we’ll need to configure custom OpenSSL extensions.

cat > /root/puppet-ca-extension.cnf << EOF
[CA_extensions]
basicConstraints = critical,CA:TRUE
nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
keyUsage = critical,keyCertSign,cRLSign
authorityKeyIdentifier=keyid,issuer
subjectKeyIdentifier = hash
EOF

Now we’re ready to generate new CA using the same serial from one the previous commands (don’t forget to insert it at the end of the command). If necessary, adjust the validity period for the CA. In our example, the CA will be valid for 10 years.

openssl x509 -req -days 3650 -in /etc/puppetlabs/puppet/ssl/ca/ca_csr.pem -signkey /etc/puppetlabs/puppet/ssl/ca/ca_key.pem -out /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -extfile /root/puppet-ca-extension.cnf -extensions CA_extensions -set_serial <enter_serial_here>

We also need to regenerate Puppet agent certificate using offline method. But first, remove existing SSL certificate and keys as otherwise Puppet Server will return an error. 

rm -fv /etc/puppetlabs/puppet/ssl/{certs,private_keys,public_keys}/$(hostname).pem
puppetserver ca generate --certname $(hostname) --subject-alt-names $(hostname) --ttl 3650 --ca-client --force

Optional: if you are using PuppetDB, copy new CA and client certificate to PuppetDB SSL directory.

cp -pv /etc/puppetlabs/puppetserver/ca/ca_crt.pem /etc/puppetlabs/puppetdb/ssl/ca.pem
cp -pv /etc/puppetlabs/puppet/ssl/private_keys/$(hostname).pem /etc/puppetlabs/puppetdb/ssl/private.pem
cp -pv /etc/puppetlabs/puppet/ssl/certs/$(hostname).pem /etc/puppetlabs/puppetdb/ssl/public.pem
chown -R puppetdb. /etc/puppetlabs/puppetdb/ssl/
chmod 600 /etc/puppetlabs/puppetdb/ssl/*

Restart all services that are using renewed SSL certificates. 

systemctl restart apache2 foreman foreman-proxy puppetserver puppetdb

At this point, Puppet agents will continue to use old CA during Puppet runs. To prevent failed Puppet runs once the old CA expires, it’s enough to simply remove /etc/puppetlabs/puppet/ssl/certs/ca.pem file on every Puppet agent. On the next Puppet run, the agent will automatically download renewed CA from Puppetserver and store it at the same location.

If you are using Puppet Bolt, you can automate this step with a single command:

bolt command run 'rm -f /etc/puppetlabs/puppet/ssl/certs/ca.pem' --run-as root -t all

That was easy, right? With the CA certificate all set for the next decade, you can get back to Puppet module development, or sharpen your unit and acceptance testing skills.

If you are in the mood for a scary Puppet campfire story, we recommend the blog post about a hugry regex that brought the Puppet server to its knees. It can’t get any scarier than regexes, right? 👻️

Share this post

Author

Saša is part of Sysbee's core team. As certified AWS SysOps administrator, he's well versed in planning, implementation and maintenance of private clouds, VPS, and dedicated server hosting platforms, as well as shared hosting infrastructures.

Related Posts

EC2 instance
09Feb

Automate EC2 instance resize with AWS Ops Automator

If you find yourself in a situation where you have to automate EC2 instance type change (vertical scaling) or create... read more

Covid 19 crises
20Mar

How to help your business during the COVID-19 crisis

If your business is dependent on people moving about, you’re most likely already experiencing consequences of the COVID-19 crisis. Companies... read more

HAProxyConf 2022
15Nov

What we learned at HAProxyConf 2022

Great food, excellent wine and a general strike of the public transportation system on the day you need to get... read more

CentOs 6
24Nov

CentOS 6 EOL

As you already might know, CentOS releases are known to have very long life cycles (usually up to 10 years).... read more

Webshop stability
01Apr

Webshop Stability Issues

Most people are turning to online shopping nowadays, which means your webshop needs to be stable, secure and fast. However, a... read more

Puppet module
03Dec

How bad can a greedy regex really get?

Recently, a client approached us with a curious Puppet Server problem that manifested in excessive CPU usage on the Puppet... read more

The effects of downtime
29Jan

The effects of downtime

Although selling hardware or software might not be your business, the stability of your IT infrastructure plays a vital role... read more

Easy puppet
08Sep

Easy Puppet module development with PDK

If you’re using Puppet and you want to automate something other than basic OS configuration, package install or Unix user... read more

Configuring Cloudflare Tunnels
13Jan

Configuring Cloudflare Tunnels

If you want to keep your servers extra safe or you don't have a publicly routable IP address (CGNAT being... read more

Server room
28Feb

On-Premises vs Cloud

Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management... read more