Following the Heartbleed bug and as all Debian stable (wheezy for the time being) are affected and as the puppetmaster is running on debian it is a good idea to regenerate the puppet certificates, here is a quick how-to when using puppet with passenger on debian wheezy.
Please refer to the official documentation.
On the puppet master
1 2 3 4 5 6
Now a new CA has been created in /var/lib/puppet/ssl, and a cert for the master has been generated and signed, and all the existing agent certificates are now unknown to the CA.
The puppetdb certificates should also be updated.
1 2 3
Launch the agent on the master to check that everything is OK.
On the puppet agents
Stop the agent if it is running and clean the SSL dir.
Launch the agent to generate a cert and wait for the cert to be signed.