Update certificate renewal documentation for Puppet 7

docs/sysadm/puppet/howto-renew-agent-certificate.rst

@@ -12,26 +12,11 @@ How to renew an agent certificate
 Check the certificate expiration dates
 --------------------------------------
 
-On the puppet master (pergamon):
+On the puppet master (pergamon), this lists all certificates that expire within the next three months:
 
 ::
 
-  root@pergamon:~# cd /var/lib/puppet/ssl/ca/signed
-  root@pergamon:/var/lib/puppet/ssl/ca/signed# openssl x509 -text -in beaubourg.softwareheritage.org.pem | grep -i 'not after'
-          Not After : Oct 29 18:37:49 2022 GMT
-
-Check the certificate statuses
-------------------------------
-
-On the puppet master (pergamon):
-
-::
-
-  root@pergamon:~# puppet cert list --all 2>/dev/null | grep expired
-  - "beaubourg.softwareheritage.org"                                (SHA256) 24:50:2E:7F:8B:B0:C7:...:D9:AB:5A:45:46:4D:17:51 (certificate has expired)
-  ...
-
-worker3 certificate is ok, beaubourg certificate is expired
+  root@pergamon:~# puppetserver ca list --all --format json | jq ".signed|sort_by(.not_after)[]|select(.not_after <= \"$(date -d '3 months' +%Y-%m-%dT%H:%M:%S)\")"
 
 Renew an agent certificate
 --------------------------
@@ -42,23 +27,22 @@ On the puppet master (pergamon):
 
 ::
 
-  root@pergamon:~# puppet cert clean beaubourg.softwareheritage.org 2>/dev/null
-  Notice: Revoked certificate with serial 49
-  Notice: Removing file Puppet::SSL::Certificate beaubourg.softwareheritage.org at '/var/lib/puppet/ssl/ca/signed/beaubourg.softwareheritage.org.pem'
-  Notice: Removing file Puppet::SSL::Certificate beaubourg.softwareheritage.org at '/var/lib/puppet/ssl/certs/beaubourg.softwareheritage.org.pem'
+  root@pergamon:~# puppetserver ca clean kelvingrove.internal.softwareheritage.org 2>/dev/null
+  Certificate for kelvingrove.internal.softwareheritage.org has been revoked
+  Cleaned files related to kelvingrove.internal.softwareheritage.org
 
-On the agent (beaubourg for this example), delete the old certificate and generate a new one:
+On the agent (kelvingrove for this example), delete the old certificate and generate a new one:
 
 ::
 
-  root@beaubourg:~# rm -r /var/lib/puppet/ssl
-  root@beaubourg:/var/lib/puppet# puppet agent --test
-  Info: Creating a new SSL key for beaubourg.softwareheritage.org
+  root@kelvingrove:~# rm -r /var/lib/puppet/ssl
+  root@kelvingrove:~# puppet agent --test
+  Info: Creating a new SSL key for kelvingrove.internal.softwareheritage.org
   Info: Caching certificate for ca
   Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
-  Info: Creating a new SSL certificate request for beaubourg.softwareheritage.org
-  Info: Certificate Request fingerprint (SHA256): F5:C9:99:0B:...:62:E9:4F:1B
-  Info: Caching certificate for beaubourg.softwareheritage.org
+  Info: Creating a new SSL certificate request for kelvingrove.internal.softwareheritage.org
+  Info: Certificate Request fingerprint (SHA256): 81:3A:FD:83:A2:64:CA:69:E9:EF:14:91:66:24:0D:DA:E0:6F:B5:1B:44:C2:BA:62:82:C9:94:C6:1D:F8:83:2D
+  Info: Caching certificate for kelvingrove.internal.softwareheritage.org
   Info: Caching certificate_revocation_list for ca
   Info: Caching certificate for ca
   Info: Using configured environment 'production'
@@ -66,6 +50,6 @@ On the agent (beaubourg for this example), delete the old certificate and genera
   Info: Retrieving plugin
   Info: Retrieving locales
   Info: Loading facts
-  Info: Caching catalog for beaubourg.softwareheritage.org
-  Info: Applying configuration version '1638980028'
+  Info: Caching catalog for kelvingrove.internal.softwareheritage.org
+  Info: Applying configuration version '1736934322'
   ...