How to regenerate the Puppet CA and Puppet Client certificates for Red Hat Satellite?
Environment
- Red Hat Satellite 6
- Red Hat Satellite Capsule 6
Issue
- How to regenerate the Puppet CA and Puppet Client certificates for Red Hat Satellite with Puppet 4 or Puppet 5?
- How to regenerate the Puppet CA and Puppet Client certificates for Red Hat Satellite with Puppet 6?
- How to regenerate the Puppet CA and Puppet Client certificates for Red Hat Satellite with Puppet 7 or Puppet 8?
- What steps need to follow when Puppet CA certificates expire on the Satellite/Capsule server?
Resolution
Steps to be executed on the Satellite/Capsule (Puppet Master):
For puppet 4 or puppet 5
# service puppet stop
# for i in `puppet cert list --all | cut -d '"' -f2`; do puppet cert clean $i; done
# service puppetserver stop
# rm -rf /etc/puppetlabs/puppet/ssl/*
# puppet master --no-daemonize --verbose (Wait until you see: "Notice: Starting Puppet master version 5.5.0", then press Ctrl+C)
# service puppetserver start
# service puppet start
For puppet 6
# service puppet stop
# for i in `puppetserver ca list --all | tail -1 | awk '{print $1}'`; do puppetserver ca clean --certname $i; done
--> Above command may fail with SSL error but continue with the rest of the steps.
# service puppetserver stop
# rm -rf /etc/puppetlabs/puppet/ssl/*
# puppetserver ca setup (Wait until you see: "Generation succeeded. Find your files in /etc/puppetlabs/puppet/ssl/ca")
# service puppetserver start
# service puppet start
For puppet 7 or puppet 8
1. Create a backup of the directory `/etc/puppetlabs/puppetserver`:
```
# cp -a /etc/puppetlabs/puppetserver/ca /etc/puppetlabs/puppetserver/ca.backup_before_creating_new_CA
# cp -a /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/ssl.backup_before_creating_new_CA
```
2. Ensure `puppetserver` is stopped and delete all files that may contain references to the old `CA`:
```
# systemctl stop puppetserver
# rm -fr /etc/puppetlabs/puppetserver/ca/*
# rm -fr /etc/puppetlabs/puppet/ssl/*
```
3. Generate the new `CA` and start the service:
```
# puppetserver ca setup
# systemctl start puppetserver
```
Steps to be executed on every existing client host having puppet agent configured:
-
For
Red Hat Enterprise Linux server 7client host registered with the Satellite\Capsule, execute the following commands:# rm -rf /etc/puppetlabs/puppet/ssl/* # systemctl restart puppet # puppet agent -tv -
For
Red Hat Enterprise Linux 8( or above ) client host registered with the Satellite\Capsule, execute the following commands:# rm -rf /opt/puppetlabs/puppet/cache/ssl/* /etc/puppetlabs/puppet/ssl/* # systemctl restart puppet # puppet agent -tv
- The same steps can be applied to
Puppet 4as well.
For more KB articles/solutions related to Red Hat Satellite 6.x Puppet Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Puppet Issues.
Root Cause
- Expired or corrupted Puppet CA certificates on satellite or Capsule.
Diagnostic Steps
-
The satellite will have entries like the following in its
/var/log/messageslog file:Jun 23 15:01:10 sathostname puppet-agent[1831]: The certificate 'CN=Puppet CA: sathostname.example.com' has expired, verify time is synchronized -
Run the below command on Satellite or Capsule to check the validity of Puppet CA certificates.
# openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -dates -noout -
Run the below commands on a client to check the validity of Puppet certificates.
# openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -dates -noout # openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/`hostname -f`.pem -dates -noout
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.