Regenerate certs for PuppetDB
The major components of Puppet Enterprise (the Puppet master, PuppetDB, and PE console) contain SSL certificates and security credentials (private and public keys) that are generated by PE’s built-in certificate authority (CA). Should the need arise, you can regenerate the certificates and security credentials (private and public keys) generated for PuppetDB.
You can regenerate all certificates for the PuppetDB only, including the certificates and keys for associated services running on PuppetDB.
If you’ve experienced an unforeseen security vulnerability and need to regenerate all the certificates and security credentials in your infrastructure, refer to Regenerating certs and security credentials in split Puppet Enterprise deployments for complete instructions. Further, this procedure applies to split installations only. On monolithic installs, PuppetDB shares an agent cert and security credentials with the Puppet master and the PE console. For a monolithic install, you must regenerate all certs and security credentials.
Regenerating certificates and security credentials for PuppetDB involves the following steps:
- Back up SSL directories on the PuppetDB server
- Shut down all PE-related services on the PuppetDB server
- Clear and regenerate the Puppet agent certs for the PuppetDB server
- Copy the new certs and security credentials to the appropriate directory and set permissions
- Restart all PE-related services on the PuppetDB server
Before you begin, review the following information:
You must be logged in as a root, (or in the case of Windows agents, as an account with Administrator Privileges) to make these changes.
If you encounter any errors during steps that involve
chmodcommands, you should diagnose these before continuing, as the success each step is very important to the success of the next step.
In the following instructions, when
<CERTNAME>is used, it refers to the Puppet master’s certname. To find this value, run
puppet config print certnamebefore starting.
Unless otherwise indicated, all commands are run on the PuppetDB server.
On PuppetDB, back up the following directories:
On PuppetDB, shut down all PE-related services with the following commands:
puppet resource service puppet ensure=stopped puppet resource service pe-puppetdb ensure=stopped puppet resource service pe-postgresql ensure=stopped puppet resource service mcollective ensure=stopped
On PuppetDB, delete the Puppet agent’s SSL cert and security credentials.
rm -rf /etc/puppetlabs/puppet/ssl/*
On the Puppet master, or CA server, remove the cert for the PuppetDB node.
puppet cert clean <PUPPETDB CERTNAME>
On the Puppet master, remove the cached catalog.
rm -f /opt/puppetlabs/puppet/cache/client_data/catalog/<CERTNAME>.json
On PuppetDB, generate security credentials and request a new certificate from the CA Puppet master. These certs will end up in
puppet agent --test --no-daemonize --noop
Note: This agent run will not complete successfully, but it is necessary to set up the agent certificate for the PuppetDB node. You will see some errors about node definition and the inability to submit facts due to PuppetDB being offline. You can ignore these.
On PuppetDB, delete puppetDB’s SSL cert and security credentials.
rm -rf /etc/puppetlabs/puppetdb/ssl/*
On PuppetDB, copy the Puppet agent’s certs and security credentials to the PuppetDB SSL directory.
cp /etc/puppetlabs/puppet/ssl/certs/<CERTNAME>.pem /etc/puppetlabs/puppetdb/ssl/<CERTNAME>.cert.pem cp /etc/puppetlabs/puppet/ssl/public_keys/<CERTNAME>.pem /etc/puppetlabs/puppetdb/ssl/<CERTNAME>.public_key.pem cp /etc/puppetlabs/puppet/ssl/private_keys/<CERTNAME>.pem /etc/puppetlabs/puppetdb/ssl/<CERTNAME>.private_key.pem
On PuppetDB, create PuppetDB’s .pk8 cert.
cd /etc/puppetlabs/puppetdb/ssl openssl pkcs8 -topk8 -inform PEM -outform DER -in /etc/puppetlabs/puppetdb/ssl<CERTNAME>.private_key.pem -out /etc/puppetlabs/puppetdb/ssl<CERTNAME>.private_key.pk8 -nocrypt chown -R pe-puppetdb:pe-puppetdb /etc/puppetlabs/puppetdb/ssl
On PuppetDB, clear the certs and security credentials from the PostgreSQL certs directory.
rm -rf /opt/puppetlabs/server/data/postgresql/9.4/data/certs/*
On PuppetDB, copy the certs and security credentials to the PostgreSQL certs directory.
cp /etc/puppetlabs/puppet/ssl/certs/<CERTNAME>.pem /opt/puppetlabs/server/data/postgresql/9.4/data/certs/_local.cert.pem cp /etc/puppetlabs/puppet/ssl/private_keys/<CERTNAME>.pem /opt/puppetlabs/server/data/postgresql/9.4/data/certs/_local.private_key.pem chmod 400 /opt/puppetlabs/server/data/postgresql/9.4/data/certs/* chown pe-postgres:pe-postgres /opt/puppetlabs/server/data/postgresql/9.4/data/certs/*
On PuppetDB, restart all PE-related services with the following commands:
puppet resource service puppet ensure=running puppet resource service pe-puppetdb ensure=running puppet resource service pe-postgresql ensure=running puppet resource service mcollective ensure=running