Step 3: Clear and regenerate certs for Puppet agents

To replace the certs on agents, you’ll need to log into each agent node and do the following steps.

  1. Stop the agent service. On *nix:

    Copy 
    sudo puppet resource service puppet ensure=stopped

    On Windows, with Administrator privileges:

    Copy 
    puppet resource service puppet ensure=stopped

  2. Locate Puppet’s SSL directory and delete its contents.

    The SSL directory can be determined by running:

    puppet config print ssldir --section agent

  3. Restart the agent service. On *nix:

    Copy 
    sudo puppet resource service puppet ensure=running

    On Windows, with Administrator privileges:

    Copy 
    puppet resource service puppet ensure=running

    When the agent starts, it generates keys and requests a new certificate from the CA primary server.

  4. If you are not using autosigning, log in to the CA primary server and sign each agent node’s certificate request.

    To view pending requests, run:

    Copy 
    sudo puppetserver ca list

    To sign requests, run:

    Copy 
    sudo puppetserver ca sign --certname <NAME>

    After an agent node’s new certificate is signed, it's retrieved within a few minutes and a Puppet run starts.

Results

After you have regenerated all agents’ certificates, everything will be fully functional under the new CA.

You can achieve the same results by turning these steps into Bolt tasks or plans. See the Bolt documentation for more information.