key rollover: puppet
Written and acked by Micah Anderson:
puppet
======
There are two methods to handle puppet certificates, one is via capistrano, the second is manually.
The capistrano method is detailed here: [98]http://reductivelabs.com/trac/puppet/wiki/RegenerateSSL
The manual steps are as follows:
1. You need to wipe and regenerate your CA info:
/etc/init.d/puppetmaster stop
rm $vardir/ssl/*
/etc/init.d/puppetmaster start
However, if you are running mongrel, instead of starting puppetmaster from the initscript, you will need to first stop
the front-end web listener (apache, nginx, etc.) and then do the following:
puppetmasterd --daemonize ; sleep 30 ; pkill -f 'ruby /usr/sbin/puppetmasterd'
The above is necessary because for some reason when running with mongrel, puppetmaster will not regenerate its CA.
1. Wipe all the client certs
/etc/init.d/puppet stop
rm $vardir/ssl/*
2. Have each client request a new cert:
puppetd --onetime --debug --ignorecache --no-daemonize
3. Once all the requests have rolled in, you can sign them all at once:
puppetca --sign --all
4. Start up your puppet clients:
/etc/init.d/puppet start
You could also enable autosign temporarily, if you are comfortable with that.
Reply to: