Revive an Expired Puppet CA with Certregen

Renewing an expired Puppet CA certificate using Certregen module.

The Problem

I’ve been involved in a project of migrating ageing infrastructure (e.g. CentOS 7) and legacy applications (e.g. MySQL 5.7) to modern software. One of the first problems was an old installation of Puppet Server v5 where its CA certificate has already expired.

$ rpm -qa | grep puppet

Puppet’s CA certificate is only valid for a limited time which is usually 5 years, after which it expires. When this CA expires, Puppet’s services will no longer accept any certificates signed by that CA, and such Puppet infrastructure will immediately stop working.

The Solution

Leaving aside the fact that Puppet v5.5 is EOL, we needed to bring the system back to a working state. This meant regenerating the CA certificates.

Puppetlabs provides a certregen module that allows one to regenerate and redistribute Puppet CA certificates and refresh CRLs, without invalidating certificates signed by the original CA. It can also revive a Puppet CA that has already expired.

Working with Certregen


Install the Puppet module puppetlabs-certregen:

# puppet module install puppetlabs-certregen
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from ...
Notice: Installing -- do not interrupt ...
└─┬ puppetlabs-certregen (v0.2.0)
  └── puppetlabs-stdlib (v4.25.1)

Check for Expired Certificates

We can see that the CA certificate’s status is “expired”.

# puppet certregen healthcheck
"ca" (SHA256) 11:8B:52:F2:E8:CB:66:42:43:C3:51:9A:6E:3D:26:83:4F:69:17:B6:4B:A2:73:1B:26:44:AC:A0:16:01:7C:9F
Status: expired
Expiration date: 2024-03-11 14:35:39 UTC

"" (SHA256) 11:36:8F:20:BB:3D:1C:5B:D9:1D:55:68:D9:CC:0D:D4:3A:E6:C4:0E:8B:02:32:E6:72:D4:F6:D1:07:10:47:E1
Status: expiring
Expiration date: 2024-03-31 16:39:25 UTC
Expires in: 17 days, 9 hours, 5 minutes, 55 seconds

"" (SHA256) 11:39:B9:1E:7B:A3:EC:28:3A:E8:C0:77:58:96:3F:12:C6:39:04:54:DC:CF:56:54:25:63:B2:DA:19:50:D1:90
Status: expiring
Expiration date: 2024-03-31 17:07:45 UTC
Expires in: 17 days, 9 hours, 34 minutes, 15 seconds


Generate a New CA Certificate

We want to generate a new CA certificate using the existing CA keypair. We do not want to create a new keypair. We also want to automatically update the expiration date of the certificate revocation list (CRL).

# puppet certregen ca --ca_serial 01
Notice: Backing up current CA certificate to /etc/puppetlabs/puppet/ssl/ca/ca_crt.1710401711.pem
Notice: Signed certificate request for ca
CA expiration is now 2029-03-13 07:35:11 UTC
CRL next update is now 2029-03-13 07:35:11 UTC

Distribute the New CA Certificate

Distribute the new CA cert to every node in your Puppet infrastructure. This depends on how your environment has been set up.

In our case we used a regular user account with sudo privileges to copy files using SCP.

$ for i in $(cat list_of_puppet_agent_servers.txt);
  scp ./ca.pem ${i}:~/
  ssh ${i} "sudo mv ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem; sudo chown root: /etc/puppetlabs/puppet/ssl/certs/ca.pem"


Leave a Reply

Your email address will not be published. Required fields are marked *