Following the Heartbleed bug and as all Debian stable (wheezy for the time being) are affected and as the puppetmaster is running on debian it is a good idea to regenerate the puppet certificates, here is a quick how-to when using puppet with passenger on debian wheezy.
Please refer to the official documentation.
On the puppet master
service apache2 stop cp -r /var/lib/puppet/ssl ~/puppet-ssl-backup rm -rf /var/lib/puppet/ssl/* # Kill the master once the CA and certs have been generated using ctrl+c puppet master --no-daemonize --verbose service apache2 start
Now a new CA has been created in /var/lib/puppet/ssl, and a cert for the master has been generated and signed, and all the existing agent certificates are now unknown to the CA.
puppet cert list --all
The puppetdb certificates should also be updated.
rm /etc/puppetdb/ssl/* puppetdb ssl-setup service puppetdb restart
Launch the agent on the master to check that everything is OK.
puppet agent -tv
On the puppet agents
Stop the agent if it is running and clean the SSL dir.
service puppet stop rm -rf /var/lib/puppet/ssl/*
Launch the agent to generate a cert and wait for the cert to be signed.
puppet agent -tv --waitforcert 60
puppet cert list puppet cert sign xxx.xxx.xxx