Skip to main content


Showing posts from 2017

Renewing Puppet CA and puppet master certificates

My two Puppet deployments are just about to turn 5 years old, and as such, the CA and puppet master certificates are just about to expire.

The documentation online seem to suggest the only way to renew these certs is by deleting the /var/lib/puppet/ssl directory and getting Puppet to renew them. This would mean renewing all the certificates of all the nodes at the same time. Even the official Puppet docs suggest this is the way too.(

The way I will describe renews the CA certificate and puppetmaster certificate in a way which is still trusted by every existing host.

First, copy the important files to a new directory# mkdir /root/puppet_renewal # cd /root/puppet_renewal # mkdir /root/puppet_renewal/ca # mkdir /root/puppet_renewal/puppetmaster # mkdir /root/puppet_renewal/puppetmaster/private_keys # mkdir /root/puppet_renewal/puppetmaster/certs # cp /var/lib/puppet/ssl/ca/ca_key.pem /root/puppet_renewal/ca # cp /var/lib/…