Performed the Verify steps. Seems the values are not equal. Is there any steps in order to make the values equal?
On Friday, October 15, 2021 at 9:34:11 AM UTC-4 treydock wrote: > My advise might not be the best but it's what worked for me when our > master CA certificate expired. These are my raw notes from when I had to > renew our puppetserver certificate. The original certificate was likely > Puppet 4 and expired when running Puppet 6. I googled around and took some > steps from various blog posts I found so most of this isn't my original > ideas: > > # Verify > cd /etc/puppetlabs/puppet/ssl/ca > ( openssl rsa -noout -modulus -in ca_key.pem 2> /dev/null | openssl md5 > ; openssl x509 -noout -modulus -in ca_crt.pem 2> /dev/null | openssl md5 ) > > # Generate new CSR > openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem > > # Sign > cat > extension.cnf << EOF > [CA_extensions] > basicConstraints = critical,CA:TRUE > nsComment = "Puppet Ruby/OpenSSL Internal Certificate" > keyUsage = critical,keyCertSign,cRLSign > subjectKeyIdentifier = hash > EOF > cp ca_crt.pem ca_crt.pem.old > openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out > ca_crt.pem -extfile extension.cnf -extensions CA_extensions > openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity > chown puppet: ./* > cd /etc/puppetlabs/puppet/ssl > cp -a ca/ca_crt.pem certs/ca.pem > > # CLIENTS > > /opt/puppetlabs/bin/puppet resource file > /etc/puppetlabs/puppet/ssl/certs/ca.pem ensure=absent > /opt/puppetlabs/bin/puppet ssl download_cert > systemctl restart choria-server > > For expired client certs, when that happens to me I will do "rm -rf > /etc/puppetlabs/puppet/ssl" on the agent (never master) and then run Puppet > which will request new cert then sign the cert and run Puppet again. That > process is rather tedious and not something I've automated really well but > also not something I have had happen frequently as we don't tend to keep > servers around for 5+ years. > > On Thursday, October 14, 2021 at 4:09:14 PM UTC-4 puppet-bsd wrote: > >> Hi all, >> >> I'm new in puppet. >> >> I'm currently using puppet 4.10 >> >> Long story short, puppet certificates were expired and by this time, I am >> renewing these certificates one node at the time (including the >> puppetmaster). >> >> Once the puppetmaster got "renewed" , I tried to create a node >> successfully but its first run of puppet agent -t got unsuccessful due to >> its related smart proxy server certificate for revoked. Performed a >> certificate renewal for the proxy and the new agent now runs fine. >> >> However, it always happens everytime I create a new node. In the past, I >> don't have to renew proxy certificates. That means that there is >> something/somewhere in puppetmaster that isn't caught up in terms of >> certificates. >> >> One try I made is to regenerate a new CA certificate but seems it isn't >> successful for the early described issue. >> >> Can anyone please point how to fix the certificate at the puppetmaster >> level? >> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/63a4d3b3-55e8-43ef-84cd-6f6d9a4ef8a5n%40googlegroups.com.
