Step 1: Clear and regenerate certs on your primary Puppet Server

1. Back up the SSL directory, which is in /etc/puppetlabs/puppet/ssl/. If something goes wrong, you can restore this directory so your deployment can stay functional. However, if you needed to regenerate your certs for security reasons and couldn’t, get some assistance as soon as possible so you can keep your site secure.

2. Stop the agent service:

   Copy

   sudo puppet resource service puppet ensure=stopped

3. Stop the primary server service.

   For Puppet Server, run:

   Copy

   sudo puppet resource service puppetserver ensure=stopped

4. Delete the SSL directory:

   Copy

   sudo rm -r /etc/puppetlabs/puppet/ssl

5. Regenerate the CA and primary server's cert:

   Copy

   sudo puppetserver ca setup

   You will see this message: Notice: Signed certificate request for ca.

6. Start the primary server service by running:

   Copy

   sudo puppet resource service puppetserver ensure=running

7. Start the Puppet agent service by running this command:

   Copy

   sudo puppet resource service puppet ensure=running

Results

At this point:

• You have a new CA certificate and key.

• Your primary server has a certificate from the new CA, and it can field new certificate requests.

• The primary server rejects any requests for configuration catalogs from nodes that haven’t replaced their certificates. At this point, it is all of them except itself.

• When using any extensions that rely on Puppet certificates, like PuppetDB, the primary server won’t be able to communicate with them. Consequently, it might not be able to serve catalogs, even to agents that do have new certificates.