Renewing Puppet CA and puppet master certificates
My two Puppet deployments are just about to turn 5 years old, and as such, the CA and puppet master certificates are just about to expire.
The documentation online seem to suggest the only way to renew these certs is by deleting the /var/lib/puppet/ssl directory and getting Puppet to renew them. This would mean renewing all the certificates of all the nodes at the same time. Even the official Puppet docs suggest this is the way too.(https://docs.puppet.com/puppet/3.7/ssl_regenerate_certificates.html)
The way I will describe renews the CA certificate and puppetmaster certificate in a way which is still trusted by every existing host.
The documentation online seem to suggest the only way to renew these certs is by deleting the /var/lib/puppet/ssl directory and getting Puppet to renew them. This would mean renewing all the certificates of all the nodes at the same time. Even the official Puppet docs suggest this is the way too.(https://docs.puppet.com/puppet/3.7/ssl_regenerate_certificates.html)
The way I will describe renews the CA certificate and puppetmaster certificate in a way which is still trusted by every existing host.
- First, copy the important files to a new directory
- Get the important information from the existing CA and puppet master certificate
- Make the openssl config file
- Make a CSR using your existing CA key, and make the new CA cert
- Find the next serial number for the existing CA
- Make a CSR using your existing puppet server key, and make the new puppet server certificate
# mkdir /root/puppet_renewal
# cd /root/puppet_renewal
# mkdir /root/puppet_renewal/ca
# mkdir /root/puppet_renewal/puppetmaster
# mkdir /root/puppet_renewal/puppetmaster/private_keys
# mkdir /root/puppet_renewal/puppetmaster/certs
# cp /var/lib/puppet/ssl/ca/ca_key.pem /root/puppet_renewal/ca
# cp /var/lib/puppet/ssl/private_keys/mypuppetmaster.mydomain.pem /root/puppet_renewal/puppetmaster/private_keys
# openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -subject
subject= /CN=Puppet CA: mypuppetmaster.mydomain
# openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -serial
serial=01
# openssl x509 -in /var/lib/puppet/ssl/certs/mypuppetmaster.mydomain.pem -noout -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
9B:17:02:F9:36:44:C7:42:F9:67:45:70:55:C2:AD:FB:6F:83:2B:0A
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:mypuppetmaster.mydomain, DNS:puppet, DNS:puppet.mydomain
# cat << EOF > /root/puppet_renewal/renewpuppet.cnf
[ v3_ca ]
basicConstraints= CA:TRUE
subjectKeyIdentifier= hash
#authorityKeyIdentifier= keyid:always,issuer:always
keyUsage = critical, cRLSign, keyCertSign
nsComment = 'Puppet Ruby/OpenSSL Internal Certificate'
[ v3 ]
basicConstraints= CA:FALSE
subjectKeyIdentifier= hash
nsComment = 'Puppet Ruby/OpenSSL Internal Certificate'
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = critical, serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = mypuppetmaster.mydomain
DNS.2 = puppet
DNS.3 = puppet.mydomain
EOF
# openssl req -out /root/puppet_renewal/ca/ca_new.csr -key /root/puppet_renewal/ca/ca_key.pem -new -batch -subj "/CN=Puppet CA: mypuppetmaster.mydomain"
# openssl x509 -req -days 3650 -in /root/puppet_renewal/ca/ca_new.csr -signkey /root/puppet_renewal/ca/ca_key.pem -out /root/puppet_renewal/ca/ca_crt.pem -extfile /root/puppet_renewal/renewpuppet.cnf -extensions v3_ca -set_serial 1
# echo $((0x`cat /var/lib/puppet/ssl/ca/serial`))
603
# openssl req -out /root/puppet_renewal/mypuppetmaster.csr -key /root/puppet_renewal/puppetmaster/private_keys/mypuppetmaster.mydomain.pem -new -batch -subj "/CN=mypuppetmaster.mydomain"
# openssl x509 -extfile /root/puppet_renewal/renewpuppet.cnf -extensions v3 -req -days 1825 -in /root/puppet_renewal/mypuppetmaster.csr -CA /root/puppet_renewal/ca/ca_crt.pem -CAkey /root/puppet_renewal/ca/ca_key.pem -CAcreateserial -out /root/puppet_renewal/puppetmaster/certs/mypuppetmaster.mydomain.pem -sha256 -set_serial 603
# /etc/init.d/httpd stop
# cp /root/puppet_renewal/ca/ca_crt.pem /var/lib/puppet/ssl/ca/ca_crt.pem
# cp /root/puppet_renewal/ca/ca_crt.pem /var/lib/puppet/ssl/certs/ca.pem
# cp /root/puppet_renewal/puppetmaster/certs/mypuppetmaster.mydomain.pem /var/lib/puppet/ssl/certs/mypuppetmaster.mydomain.pem
# /etc/init.d/httpd start
Comments
Post a Comment