Unfortunately that particular docs page was incorrectly updated for Puppet 6. If you are running Puppet 6 master AND agents, you can regenerate your CA by using `puppetserver can setup`. This creates a basic intermediate CA with a self-signed root and a CA signing cert. It will also create a new cert for your puppet master. You can read more about this model here: https://puppet.com/docs/puppetserver/6.0/intermediate_ca.html, and more about the new `puppetserver ca` subcommand here: https://puppet.com/docs/puppetserver/6.0/subcommands.html#ca.
However, please note that if you still have some Puppet 5 agents, you'd be better off just restarting Puppet Server, which will generate a new non-intermediate CA (a self-signed root that also is the CA signing cert that issues node certificates). Puppet 5 agents do not properly support the intermediate CA setup without manual intervention. Whichever route you take to regenerate your CA and master cert, you will also need to regenerate the certs for your agents. This can be accomplished by starting Puppet Server, deleting the SSL dir on each agent node (and puppetdb), then running `puppet agent -t` to submit a signing request to the server. On a Puppet 6 master, use `puppetserver ca sign --certname <node's certname>` to sign the cert, followed by another `puppet agent -t` on the agent to retrieve it. We made a series of major CA improvements in Puppet 6, which you can read about in the release notes here <https://puppet.com/docs/puppetserver/6.0/release_notes.html> and here <https://puppet.com/docs/puppet/6.0/release_notes.html>. While updating the docs for this release, we realized that a major overhaul of the CA and SSL docs was needed, as many of them haven't been touched since the release of Puppet 4. We are in the process of getting that written and published now. We really appreciate feedback like this to help us identify spots that are still wrong or confusing. Please let me know if anything in here doesn't work right for you! Maggie On Mon, Oct 22, 2018, 5:48 AM Bret Wortman <bret.wort...@damascusgrp.com wrote: > Out of curiosity, I updated the server to 6.0.1. No change. > > > On Monday, October 22, 2018 at 7:25:10 AM UTC-4, Bret Wortman wrote: >> >> We had an issue where someone removed our puppet server's ssl directory, >> so we need to regenerate all our certs. I'm following the instructions at >> https://puppet.com/docs/puppet/6.0/ssl_regenerate_certificates.html but >> am having difficulties: >> >> # puppetserver ca list -a >> Traceback (most recent call last): >> 9: from /opt/puppetlabs/server/apps/puppetserver/cli/apps/ca:5 in >> '<main>' >> 8: from >> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/cli.rb:89: >> in 'run' >> 7: from >> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/action/list.rb:60: >> in 'run' >> 6: from >> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/action/list.rb:113: >> in 'get_all_certs' >> 5: from >> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/action/list.rb:113: >> in 'new' >> 4: from >> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/certificate_authority.rb:16: >> in 'initialize' >> 3: from >> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/certificate_authority.rb:16: >> in 'new' >> 2: from >> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/utils/http_client.rb:19: >> in 'initialize' >> 1: from >> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/utils/http_client.rb:108: >> in 'make_store' >> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/utils/http_client.rb:109:in >> 'add_file': system lib (OpenSSL::X509::StoreError) >> # >> >> Has anyone encountered this before? Any thoughts on how to regenerate my >> certs on this system and get us going again? >> >> Note: I have puppet installed on one server and puppetdb on another, in >> case that matters. >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/7715f962-0e79-44f8-9e25-ade744378c37%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/7715f962-0e79-44f8-9e25-ade744378c37%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMstjg0R1zUrdj76VFYM36wZaaDYKFvL%2BbYAUbGTy2gG-Um9sA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
