Menu
During initial configuration of the Puppet agent, the agent obtains a security certificate signed by an authority recognized by the master -- most often the master itself -- with which it will subsequently identify itself to the master. Does this certificate ever expire or require an update?
759
This certificate is used for SSL and TLS communications and is sent to the agent. During the master and agent exchange, the CA is stored in the /etc/puppetlabs/puppet/ssl/ca/signed directory on the master and in the /etc/puppetlabs/puppet/ssl/certs directory on the agent.
On the CA server: Sign the certificate request, explicitly allowing alternate names ( puppet cert sign --allow-dns-alt-names <NAME> ). (Note puppet cert sign is deprecated and will be replaced with puppetserver ca sign in Puppet 6.) On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to retrieve the cert.
Yes, all certificates signed by the Puppet CA have an expiration date, including agents' certificates, the master's certificate, and the CA's own self-signed certificate if in fact it is using such. The expiration timestamp is set by adding a fixed offset (specified by the configuration setting ca_ttl) to the date & time at which the cert is signed. The default ttl is five years, which is long enough to cover the full service life of all machines in many organizations.
More problematic than an agent's certificate expiring is the CA cert expiring. If you let that happen without configuring a new CA cert then master and nodes will thereafter reject each others' certs, forcing you to manually configure new certs for all of them.
59
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
