key rollover: puppet

To: debian-www@lists.debian.org
Cc: team@security.debian.org, micah@riseup.net
Subject: key rollover: puppet
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 15 May 2008 23:31:14 +0200
Message-id: <[🔎] 20080515213114.GD3683@galadriel.inutil.org>

Written and acked by Micah Anderson:

puppet
======

There are two methods to handle puppet certificates, one is via capistrano, the second is manually.

The capistrano method is detailed here: [98]http://reductivelabs.com/trac/puppet/wiki/RegenerateSSL

The manual steps are as follows:

 1. You need to wipe and regenerate your CA info:

/etc/init.d/puppetmaster stop
rm $vardir/ssl/*
/etc/init.d/puppetmaster start

    However, if you are running mongrel, instead of starting puppetmaster from the initscript, you will need to first stop
    the front-end web listener (apache, nginx, etc.) and then do the following:

 puppetmasterd --daemonize ; sleep 30 ; pkill -f 'ruby /usr/sbin/puppetmasterd'

 The above is necessary because for some reason when running with mongrel, puppetmaster will not regenerate its CA.

 1. Wipe all the client certs

/etc/init.d/puppet stop
rm $vardir/ssl/*

 2. Have each client request a new cert:

puppetd --onetime --debug --ignorecache --no-daemonize

 3. Once all the requests have rolled in, you can sign them all at once:

puppetca --sign --all

 4. Start up your puppet clients:

/etc/init.d/puppet start

You could also enable autosign temporarily, if you are comfortable with that.

Reply to:

Follow-Ups:
- Re: key rollover: puppet
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: krb5 / Lenny status
Next by Date: key rollover: ssl-cert
Previous by thread: Re: krb5 / Lenny status
Next by thread: Re: key rollover: puppet
Index(es):
- Date
- Thread