Regenerating puppet certificates.

Bleeding Heart…

Following the Heartbleed bug and as all Debian
stable (wheezy for the time being) are affected and as the puppetmaster
is running on debian it is a good idea
to regenerate the puppet certificates, here is a quick how-to when using
puppet with passenger on debian wheezy.

Please refer to the
official documentation.

On the puppet master

1
2
3
4
5
6
service apache2 stop
cp -r /var/lib/puppet/ssl ~/puppet-ssl-backup
rm -rf /var/lib/puppet/ssl/*
# Kill the master once the CA and certs have been generated using ctrl+c
puppet master --no-daemonize --verbose
service apache2 start

Now a new CA has been created in /var/lib/puppet/ssl, and a cert for the
master has been generated and signed, and all the existing agent
certificates are now unknown to the CA.

1
puppet cert list --all

The puppetdb certificates should also be updated.

1
2
3
rm /etc/puppetdb/ssl/*
puppetdb ssl-setup
service puppetdb restart

Launch the agent on the master to check that everything is OK.

1
puppet agent -tv

On the puppet agents

Stop the agent if it is running and clean the SSL dir.

1
2
service puppet stop
rm -rf /var/lib/puppet/ssl/*

Launch the agent to generate a cert and wait for the cert to be signed.

1
puppet agent -tv --waitforcert 60
Sign the certificate request on the master
1
2
puppet cert list
puppet cert sign xxx.xxx.xxx