That worked like a champ. Now I just need to read up on how to get my
puppetserver talking to puppetdb again...
Thanks, Maggie!
On 10/22/2018 11:36 AM, Maggie Dreyer wrote:
Unfortunately that particular docs page was incorrectly updated for
Puppet 6. If you are running Puppet 6 master AND agents, you can
regenerate your CA by using `puppetserver can setup`. This creates a
basic intermediate CA with a self-signed root and a CA signing cert.
It will also create a new cert for your puppet master. You can read
more about this model here:
https://puppet.com/docs/puppetserver/6.0/intermediate_ca.html, and
more about the new `puppetserver ca` subcommand here:
https://puppet.com/docs/puppetserver/6.0/subcommands.html#ca.
However, please note that if you still have some Puppet 5 agents,
you'd be better off just restarting Puppet Server, which will generate
a new non-intermediate CA (a self-signed root that also is the CA
signing cert that issues node certificates). Puppet 5 agents do not
properly support the intermediate CA setup without manual intervention.
Whichever route you take to regenerate your CA and master cert, you
will also need to regenerate the certs for your agents. This can be
accomplished by starting Puppet Server, deleting the SSL dir on each
agent node (and puppetdb), then running `puppet agent -t` to submit a
signing request to the server. On a Puppet 6 master, use `puppetserver
ca sign --certname <node's certname>` to sign the cert, followed by
another `puppet agent -t` on the agent to retrieve it.
We made a series of major CA improvements in Puppet 6, which you can
read about in the release notes here
<https://puppet.com/docs/puppetserver/6.0/release_notes.html> and here
<https://puppet.com/docs/puppet/6.0/release_notes.html>. While
updating the docs for this release, we realized that a major overhaul
of the CA and SSL docs was needed, as many of them haven't been
touched since the release of Puppet 4. We are in the process of
getting that written and published now. We really appreciate feedback
like this to help us identify spots that are still wrong or confusing.
Please let me know if anything in here doesn't work right for you!
Maggie
On Mon, Oct 22, 2018, 5:48 AM Bret Wortman
<bret.wort...@damascusgrp.com <mailto:bret.wort...@damascusgrp.com> wrote:
Out of curiosity, I updated the server to 6.0.1. No change.
On Monday, October 22, 2018 at 7:25:10 AM UTC-4, Bret Wortman wrote:
We had an issue where someone removed our puppet server's
ssl directory, so we need to regenerate all our certs. I'm
following the instructions at
https://puppet.com/docs/puppet/6.0/ssl_regenerate_certificates.html
but am having difficulties:
# puppetserver ca list -a
Traceback (most recent call last):
9: from
/opt/puppetlabs/server/apps/puppetserver/cli/apps/ca:5 in '<main>'
8: from
/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/cli.rb:89:
in 'run'
7: from
/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/action/list.rb:60:
in 'run'
6: from
/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/action/list.rb:113:
in 'get_all_certs'
5: from
/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/action/list.rb:113:
in 'new'
4: from
/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/certificate_authority.rb:16:
in 'initialize'
3: from
/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/certificate_authority.rb:16:
in 'new'
2: from
/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/utils/http_client.rb:19:
in 'initialize'
1: from
/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/utils/http_client.rb:108:
in 'make_store'
/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.0.0/lib/puppetserver/ca/utils/http_client.rb:109:in
'add_file': system lib (OpenSSL::X509::StoreError)
#
Has anyone encountered this before? Any thoughts on how to
regenerate my certs on this system and get us going again?
Note: I have puppet installed on one server and puppetdb on
another, in case that matters.
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/7715f962-0e79-44f8-9e25-ade744378c37%40googlegroups.com
<https://groups.google.com/d/msgid/puppet-users/7715f962-0e79-44f8-9e25-ade744378c37%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the
Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/puppet-users/YIs8AmLHHMg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAMstjg0R1zUrdj76VFYM36wZaaDYKFvL%2BbYAUbGTy2gG-Um9sA%40mail.gmail.com
<https://groups.google.com/d/msgid/puppet-users/CAMstjg0R1zUrdj76VFYM36wZaaDYKFvL%2BbYAUbGTy2gG-Um9sA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/4139dd66-f8db-e68d-d026-3d4f67109d70%40damascusgrp.com.
For more options, visit https://groups.google.com/d/optout.
