How to renew an agent certificate

Intended audience

sysadm members

Check the certificate expiration dates

On the puppet master (pergamon), this lists all certificates that expire within the next three months:

root@pergamon:~# puppetserver ca list --all --format json | jq ".signed|sort_by(.not_after)[]|select(.not_after <= \"$(date -d '3 months' +%Y-%m-%dT%H:%M:%S)\")"

Renew an agent certificate

On the puppet master (pergamon):

• Revoke and delete the old certificate

root@pergamon:~# puppetserver ca clean kelvingrove.internal.softwareheritage.org 2>/dev/null
Certificate for kelvingrove.internal.softwareheritage.org has been revoked
Cleaned files related to kelvingrove.internal.softwareheritage.org

On the agent (kelvingrove for this example), delete the old certificate and generate a new one:

root@kelvingrove:~# rm -r /var/lib/puppet/ssl
root@kelvingrove:~# puppet agent --test
Info: Creating a new SSL key for kelvingrove.internal.softwareheritage.org
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for kelvingrove.internal.softwareheritage.org
Info: Certificate Request fingerprint (SHA256): 81:3A:FD:83:A2:64:CA:69:E9:EF:14:91:66:24:0D:DA:E0:6F:B5:1B:44:C2:BA:62:82:C9:94:C6:1D:F8:83:2D
Info: Caching certificate for kelvingrove.internal.softwareheritage.org
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for kelvingrove.internal.softwareheritage.org
Info: Applying configuration version '1736934322'
...