After a number of customer sessions it was apparent that there were a number of places and tools which could be used to handle Puppet certificates and it would be good to have a written summary to be able to step through. This article aims to give a summary of what we need to do to keep Puppet certificates in date.
In summary:
We must understand when our Console Certificate and SAML certificates will expire and renew it in advance (PE only)
We must understand when our Certificate Authority (CA) will expire and renew it in advance
When we renew our CA we must distribute that new CA to both clients and integrations.
Separately all clients including the Primary itself have an agent signed certificate which will expire separately and must be renewed in advance.
Console and SAML expiry
For a Puppet generated generated console and SAML certificates expiry is every 824 days and the articles [regenerate console certificate],(https://www.puppet.com/docs/pe/latest/regenerate_console_cert)
covers how to check the expiry date as well as delete the current console certificate and replace with a Puppet run. While regnerate SAML certificate covers the same for SAML if you have configured it.
If you are using a custom console certificate ultimately you will replace the expiring certificate using the custom ssl certificate for console article.
CA expiry.
For Primaries built pre-Puppet 6 this would be a 5 year expiry period, which we would extend now to 20 years as Puppet 6 and onwards does.
This expiry date is visible at https://primary.example.com/#/certificates/certs ,using the pe_status_check module S0005 fact status check or using the CA_extend module check_ca_expiry task.
When it needs renewed we recommend using the CA_extend module extend_ca_cert plan
Following this the new CA should then be distributed to all agents using CA_extend module upload_ca_cert plan or by simply running a script on each agent which deletes / moves the old CA at C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs\ca.pem or /etc/puppetlabs/puppet/ssl/certs/ca.pem depending on nix or Windows platform and runs puppet agent -t. This will request the new CA from the Puppet primary.
Integrations
For CD4PE steps 4 to 6 should be followed in CD4PE manually configure PE integration to obtain and copy and paste the new CA into the Puppet integration page
Signed agents
We would recommend upgrading to Puppet 8 which would automate this step as shown on the blog article but agents by default pre-Puppet 8 will have a 5 years expiry. There are multiple ways to search agents about to expire. The CA_extend module has a check_agent_expiry task. (This will report a default period of within 3 months but can be adjusted), the pe_status_check module has AS001 fact status check, which combined with a PQL search will allow you to check for all agents expiring. As per doc example puppet query 'inventory[certname] { facts.agent_status_check.AS001 = false }'
The command to renew agents can be run via puppet infra run regenerate_agent_certificate which can also be run via the enterprise task plan enterprise_tasks::agent_cert_regen and both can be fed by a query such as puppet plan run enterprise_tasks::agent_cert_regen agent=$(puppet query 'inventory[certname] { facts.agent_status_check.AS001 = false }' \| jq -r '.[].certname' \| paste -sd, -) master=$(puppet config print certname)
Hopefully this has pulled together all the information you need to keep ahead of certificate expiry and put in place suitable automation.
Top comments (0)