[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

key rollover: puppet

Written and acked by Micah Anderson:


There are two methods to handle puppet certificates, one is via capistrano, the second is manually.

The capistrano method is detailed here: [98]http://reductivelabs.com/trac/puppet/wiki/RegenerateSSL

The manual steps are as follows:

 1. You need to wipe and regenerate your CA info:

/etc/init.d/puppetmaster stop
rm $vardir/ssl/*
/etc/init.d/puppetmaster start

    However, if you are running mongrel, instead of starting puppetmaster from the initscript, you will need to first stop
    the front-end web listener (apache, nginx, etc.) and then do the following:

 puppetmasterd --daemonize ; sleep 30 ; pkill -f 'ruby /usr/sbin/puppetmasterd'

 The above is necessary because for some reason when running with mongrel, puppetmaster will not regenerate its CA.

 1. Wipe all the client certs

/etc/init.d/puppet stop
rm $vardir/ssl/*

 2. Have each client request a new cert:

puppetd --onetime --debug --ignorecache --no-daemonize

 3. Once all the requests have rolled in, you can sign them all at once:

puppetca --sign --all

 4. Start up your puppet clients:

/etc/init.d/puppet start

You could also enable autosign temporarily, if you are comfortable with that.

Reply to: