If your Puppet infrastructure has been in operation for a few years, you're probably approaching the expiration date of your CA certificate. Puppet relies in its internal PKI to communicate securely between agents and masters and if the CA certificate expires then your Puppet infrastructure is going to come to a screeching halt. By default Puppet generates certificates with a lifetime of 5 years, so if you're coming up on this date then you'll want to start thinking about regenerating your CA certificate. Regenerating all certificates in an average Puppet installation would be a great deal of work and would mean a lot of downtime; fortunately we've got a better solution.
We're pleased to announce the first public release of the puppetlabs-certregen module. The certregen module provides an easy way to regenerate and distribute expiring CA certificates with zero downtime. When you regenerate your CA certificate with the certregen module your existing CA key pair is reused. The regenerated CA certificate is effectively equivalent to the expiring CA certificate and preserves the validity of your existing certificates, so you can update and distribute your new CA certificate with no downtime. We'd like to thank the Puppet Customer Success team and especially Zack Smith for testing and documenting the migration process that this module is based on. The CHANGELOG can be found here: https://github.com/puppetlabs/puppetlabs-certregen/blob/master/CHANGELOG.md The Puppet Forge module can be found here: https://forge.puppet.com/puppetlabs/certregen Installation and usage instructions can be found here: https://github.com/puppetlabs/puppetlabs-certregen/blob/master/README.markdown To track issues related to this release or report issues, see the certregen component of the MODULES JIRA project: https://tickets.puppetlabs.com/browse/MODULES/component/20300/ -- Adrien Thebo | Puppet -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CALVJ9SJPhVrcD-urWHKS42R9PeYSC_DzHb4cA5qxaEm-5ehgYw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
