Regenerate primary server certificates
Regenerate primary server certificates to specify a new DNS alt name or other trusted data. This process regenerates the certificates for all primary infrastructure nodes, including standalone PE-PostgreSQL nodes.
The puppet infrastructure run command
leverages built-in Bolt plans to automate certain
management tasks. To use this command, you must be able to connect using SSH from
your primary server to any nodes that the command modifies. You can establish an SSH
connection using key forwarding, a local key file, or by specifying keys in
.ssh/config on your primary server. For more information, see
Bolt OpenSSH configuration options.
To view all available parameters, use the --help flag. The logs for all
puppet infrastructure runBolt plans are located at /var/log/puppetlabs/installer/bolt_info.log.
On your primary server, log in as root, and run:
puppet infrastructure run regenerate_primary_certificate
You can specify these optional parameters:
- Use
dns_alt_namesto provide a comma-separated list of alternate DNS names to be added to the certificates generated for your primary server.To ensure naming consistency, if yourpuppet.conffile includes adns_alt_namesentry, you must include thedns_alt_namesparameter and pass in all alternative names included in the entry when regenerating your primary server certificate. - Use
--tmpdirto specify a path to a directory to use for uploading and executing temporary files.You might need to set this parameter if the task fails with apermission deniederror. - Use
force=trueandoffline=truein situations where your infrastructure is unhealthy due to a damaged certificate. The full command is:
puppet infrastructure run regenerate_primary_certificate primary=<hostname> force=true offline=true
puppet infrastructure run regenerate_standalone_db_certificate primary=<primary hostname> external_pg=<db-hostname>
