diff --git a/docs/sysadm/puppet/howto-renew-agent-certificate.rst b/docs/sysadm/puppet/howto-renew-agent-certificate.rst index 1596fceb8c9b5b3d13e9c5dcccbe132230cfdb20..92dbc45a26de9e721ab6738c5bf6c2601432adb3 100644 --- a/docs/sysadm/puppet/howto-renew-agent-certificate.rst +++ b/docs/sysadm/puppet/howto-renew-agent-certificate.rst @@ -12,26 +12,11 @@ How to renew an agent certificate Check the certificate expiration dates -------------------------------------- -On the puppet master (pergamon): +On the puppet master (pergamon), this lists all certificates that expire within the next three months: :: - root@pergamon:~# cd /var/lib/puppet/ssl/ca/signed - root@pergamon:/var/lib/puppet/ssl/ca/signed# openssl x509 -text -in beaubourg.softwareheritage.org.pem | grep -i 'not after' - Not After : Oct 29 18:37:49 2022 GMT - -Check the certificate statuses ------------------------------- - -On the puppet master (pergamon): - -:: - - root@pergamon:~# puppet cert list --all 2>/dev/null | grep expired - - "beaubourg.softwareheritage.org" (SHA256) 24:50:2E:7F:8B:B0:C7:...:D9:AB:5A:45:46:4D:17:51 (certificate has expired) - ... - -worker3 certificate is ok, beaubourg certificate is expired + root@pergamon:~# puppetserver ca list --all --format json | jq ".signed|sort_by(.not_after)[]|select(.not_after <= \"$(date -d '3 months' +%Y-%m-%dT%H:%M:%S)\")" Renew an agent certificate -------------------------- @@ -42,23 +27,22 @@ On the puppet master (pergamon): :: - root@pergamon:~# puppet cert clean beaubourg.softwareheritage.org 2>/dev/null - Notice: Revoked certificate with serial 49 - Notice: Removing file Puppet::SSL::Certificate beaubourg.softwareheritage.org at '/var/lib/puppet/ssl/ca/signed/beaubourg.softwareheritage.org.pem' - Notice: Removing file Puppet::SSL::Certificate beaubourg.softwareheritage.org at '/var/lib/puppet/ssl/certs/beaubourg.softwareheritage.org.pem' + root@pergamon:~# puppetserver ca clean kelvingrove.internal.softwareheritage.org 2>/dev/null + Certificate for kelvingrove.internal.softwareheritage.org has been revoked + Cleaned files related to kelvingrove.internal.softwareheritage.org -On the agent (beaubourg for this example), delete the old certificate and generate a new one: +On the agent (kelvingrove for this example), delete the old certificate and generate a new one: :: - root@beaubourg:~# rm -r /var/lib/puppet/ssl - root@beaubourg:/var/lib/puppet# puppet agent --test - Info: Creating a new SSL key for beaubourg.softwareheritage.org + root@kelvingrove:~# rm -r /var/lib/puppet/ssl + root@kelvingrove:~# puppet agent --test + Info: Creating a new SSL key for kelvingrove.internal.softwareheritage.org Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml - Info: Creating a new SSL certificate request for beaubourg.softwareheritage.org - Info: Certificate Request fingerprint (SHA256): F5:C9:99:0B:...:62:E9:4F:1B - Info: Caching certificate for beaubourg.softwareheritage.org + Info: Creating a new SSL certificate request for kelvingrove.internal.softwareheritage.org + Info: Certificate Request fingerprint (SHA256): 81:3A:FD:83:A2:64:CA:69:E9:EF:14:91:66:24:0D:DA:E0:6F:B5:1B:44:C2:BA:62:82:C9:94:C6:1D:F8:83:2D + Info: Caching certificate for kelvingrove.internal.softwareheritage.org Info: Caching certificate_revocation_list for ca Info: Caching certificate for ca Info: Using configured environment 'production' @@ -66,6 +50,6 @@ On the agent (beaubourg for this example), delete the old certificate and genera Info: Retrieving plugin Info: Retrieving locales Info: Loading facts - Info: Caching catalog for beaubourg.softwareheritage.org - Info: Applying configuration version '1638980028' + Info: Caching catalog for kelvingrove.internal.softwareheritage.org + Info: Applying configuration version '1736934322' ...