Regenerating Puppet certificates

Bleeding Heart

Following the Heartbleed bug and as all Debian stable (wheezy for the time being) are affected and as the puppetmaster is running on debian it is a good idea to regenerate the puppet certificates, here is a quick how-to when using puppet with passenger on debian wheezy.

Please refer to the official documentation.

On the puppet master

service apache2 stop
cp -r /var/lib/puppet/ssl ~/puppet-ssl-backup
rm -rf /var/lib/puppet/ssl/*
# Kill the master once the CA and certs have been generated using ctrl+c
puppet master --no-daemonize --verbose
service apache2 start

Now a new CA has been created in /var/lib/puppet/ssl, and a cert for the master has been generated and signed, and all the existing agent certificates are now unknown to the CA.

puppet cert list --all

The puppetdb certificates should also be updated.

rm /etc/puppetdb/ssl/*
puppetdb ssl-setup
service puppetdb restart

Launch the agent on the master to check that everything is OK.

puppet agent -tv

On the puppet agents

Stop the agent if it is running and clean the SSL dir.

service puppet stop
rm -rf /var/lib/puppet/ssl/*

Launch the agent to generate a cert and wait for the cert to be signed.

puppet agent -tv --waitforcert 60

puppet cert list
puppet cert sign xxx.xxx.xxx