AnsweredAssumed Answered

How to renew Puppet CA and Agent Certificates in 10.6.6.1

Question asked by David Waugh on Sep 24, 2019
Latest reply on Sep 25, 2019 by James Moon
  • Comment3

Hello our Netwitness infrastructure is getting quite old and was installed over 5 years ago.

As a result the Puppet CA certificate and all the agent certificates are due to expire in about 2 months time.

 

When running puppet agent -t I get the error:

 

Info: Loading facts
Info: Retrieving pluginfacts
Warning: Certificate 'Puppet CA: 7e76ca89-a38d-4759-a5ad-cbabdd122b4a' will expire on 2019-11-16T13:53:56GMT
Warning: Certificate '7e76ca89-a38d-4759-a5ad-cbabdd122b4a' will expire on 2019-11-16T13:53:57GMT
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for 7e76ca89-a38d-4759-a5ad-cbabdd122b4a
Info: Applying configuration version '1569293923'

 

Similar messages are seen on all the devices in our Netwitness infrastructure.

What are the steps needed to renew the CA and the agent certificates?

 

Note: I am aware that 10.6.6.1 is end of life in October, but it is still currently supported . Thanks for your help.

David Waugh
David Waugh Sep 25, 2019 5:29 AM
Correct Answer

Hi James,

 

I followed the steps at:

 

https://arrfab.net/posts/2019/Apr/29/renewextend-puppet-capuppetmasterd-certs/

 

as recommended and this replaced the CA Certificate.

 

I then had to replace the puppet agent certificate on the same server.

 

I replaced this with

 

puppet cert clean <node_id>

followed by deleting the existing client certificate under /var/lib/puppet/ssl/certs/

 

I then reran puppet agent -t

Which generated a new certificate

 

I then ran puppet cert sign --all

 

This then got everything working.

 

It looks like it was just the SA Server and CA that had a certificate running out. The others are good until 2022 so I can live with that.

 

Thanks for your help.

See the reply in context
No one else had this question

Outcomes