So your puppet certificate has expired?

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 
Details
Category: Blog
Published: Friday, 25 November 2022 11:31
Written by Lars Berntzon
Hits: 1039

Puppet server uses two certificates/keys, one certificate authority (CA), that is used for signing the clients certificates, and one for the web services. Both of them will expire sometime.
In this article I assume that all your puppet certs and keys are located somewhere under /etc/puppetlabs/puppet/ssl.

Under the ca-subfolder the CA-certs are stored in the as:
ca_crt.pem: The CA cert
ca_key.pem: The CA private key that corresponds to the cert.

Under the certs-subfolder you will se:
ca.pem: A copy of the CA cert
<servername>.pem: Cert of web service

Under private_keys-subfolder you will see:
<servername>.pem: Private key that belongs to the server cert.

If you use foreman, it is also usually configured to use the same certificates places.

Before you continue you will need to have openssl and XCA installed (XCA is a super nice certificate management tool: https://hohnstaedt.de/xca/)

To check if your certs has expired, install openssl and run (for CA in this example):

bash$ openssl x509 -in ca_crt.pem -enddate

In XCA, import the keys above under the tab "Private Keys", and then import the certs under the tab "Certificates". Here you will also see a nice view of dates and other info.

If only your server cert has expired you can just renew that one by right-clicking it and choose renewal. Select new expiry date and export it and copy the file to /etc/puppetlabs/puppet/ssl/certs/<servername>.pem (sometimes certs are also named .crt, what ever your system uses).

If you CA has expired things is more troublesome and will require changes on all managed clients.
First you need to renew your CA-cert. Make sure to re-use the same serial number since that might be included in its self-signing. Export the cert and verify that it is indeed a self-signed certificate with:
openssl verify -CAfile new-ca-cert.pem new-ca-cert.pem

I had problems with this since the original cert used its DN and Serial number for signing. If you get the error message:
"unable to get local issuer certificate"
you most likely have a problem with the serial number. Then instead create a completely new CA-cert wich XCA as:

1. On the first tab choose "Create self signed certificate". Select CA as template and click "Apply all".
2. On the second tab "Subject", enter common name to be the exact common name as the old certificate.
3. Click in "Used keys too" and make sure to select the original private key for the CA - if this is not done, everything will fail.
4. Under extensions also click in "Authority Key Identifier" - this will also cause everything to fail if not done.
5. Make sure to select a expiration date far in the future.
6. OK

Now export this cert and store it under /etc/puppetlabs/puppet/ssl/. as both ./ca/ca_crt.pem and as ./certs/ca.pem

Make some checks (running under /etc/puppetlabs/puppet/ssl):
1. Check that the output from "openssl rsa -in ca/ca_key.pem -noout -modulus" and "openssl x509 -in ca/ca_crt.pem -noout -modulus" show the same modulus
2. Make the same comparising for the server key and cert.
3. Verify the server cert with: openssl verify -CAfile certs/ca.pem certs/<servername>.pem

Restart puppetmaster and if you run foreman also apache2, foreman and foreman-proxy.

Sadly, if you renewed the CA-certificate you also need to copy the ca_crt.pem to all clients to replace their file /etc/puppetlabs/puppet/ssl/certs/ca.pem

Things should work by now.

Im considering myself to have one extra cronjob on all clients that will download this ca.pem from a known https location regularly. This might or might not be a security risk though.