Puppet – Regenerating certificates

https://docs.puppetlabs.com/puppet/latest/reference/ssl_regenerate_certificates.html
on agent do:

puppet config print ssldir   # this should output something like:

We’ll assume for the rest of this article that the above outputs:

/var/lib/puppet/ssl 

In this directory, go view what files it has:


[root@puppetmaster ssl]# find . -name puppetmaster*
./public_keys/puppetmaster.*.pem
./certificate_requests/puppetmaster.*.pem
./certs/puppetmaster.*.pem
./private_keys/puppetmaster.*.pem
./ca/signed/puppetmaster.*.pem
[root@puppetmaster ssl]# 

Run:

puppet cert clean {agent's fqdn}         # note the "-all" option doesn't work. 

this should then result in:

[root@puppetmaster ssl]# find . -name puppetmaster*
[root@puppetmaster ssl]# 

As you can see, nothing found this time.

Now on the agent do:

puppet agent -t --trace --debug

This command will outpupwdt a message like:

Exiting; no certificate found and waitforcert is disabled

Now on the puppetmaster, you should the following files have been regenerated:

[root@puppetmaster ssl]# pwd
/var/lib/puppet/ssl
[root@puppetmaster ssl]# find . -name puppetmaster*
./public_keys/puppetmaster.ordsvy.gov.uk.pem
./certificate_requests/puppetmaster.fqdn.pem
./private_keys/puppetmaster.fqdn.pem
./ca/requests/puppetmaster.fqdn.pem
[root@puppetmaster ssl]# 

Now ensure that we sign.

To sign this certificate do:

puppet cert sign {agent's fqdn} 

This should now result in:

[root@puppetmaster ssl]# pwd
/var/lib/puppet/ssl
[root@puppetmaster ssl]# find . -name puppetmaster*
./public_keys/puppetmaster.ordsvy.gov.uk.pem
./certificate_requests/puppetmaster.ordsvy.gov.uk.pem
./private_keys/puppetmaster.ordsvy.gov.uk.pem
./ca/signed/puppetmaster.ordsvy.gov.uk.pem
[root@puppetmaster ssl]# 

https://docs.puppetlabs.com/references/3.5.1/man/cert.html

on master do:

puppet cert clean {agent's fqdn}

then you can redo part c