Renewing Puppet Certificates: Difference between revisions
m (Changing directory names) |
No edit summary |
||
Line 34: | Line 34: | ||
-CA /root/puppet_renewal/ca/ca_crt.pem -CAkey /root/puppet_renewal/ca/ca_key.pem -CAcreateserial \ | -CA /root/puppet_renewal/ca/ca_crt.pem -CAkey /root/puppet_renewal/ca/ca_key.pem -CAcreateserial \ | ||
-out /root/puppet_renewal/puppetmaster/certs/puppetmaster.cluster.ucsf.bkslab.org.pem -sha256 -set_serial 451 | -out /root/puppet_renewal/puppetmaster/certs/puppetmaster.cluster.ucsf.bkslab.org.pem -sha256 -set_serial 451 | ||
Investigate /etc/foreman/ssl/README | |||
cluster2 on foreman | |||
#openssl genrsa -aes128 -out foreman.key 2048 | |||
openssl genrsa -out foreman.key 2048 | |||
openssl req -new -out foreman.csr -key foreman.key -config foreman.cnf | |||
openssl req -text -in foreman.csr -noout | |||
openssl x509 -req -in foreman.csr -CA /var/lib/puppet/ssl/ca/ca_crt.pem -CAkey /var/lib/puppet/ssl/ca/ca_key.pem -CAserial /var/lib/puppet/ssl/ca/serial -out foreman.crt -days 1730 | |||
openssl rsa -in foreman.key -out foreman.key-unlocked | |||
ln -s foreman.key-unlocked key.pem | |||
ln -s foreman.crt cert.pem |
Revision as of 01:46, 26 March 2019
On March 7th of 2019, our SSL certificates for Puppet/Foreman and TLS LDAP all reached their five year expiration period. This has caused Puppet and Foreman to stop working and our authentication server cannot be accessed. I cannot create new users that are recognized by the cluster. And users cannot login to machines that they have previously never logged into. You can imagine the trouble this has caused. As of March 22, I have not solved this yet but I will be documenting my attempts to fix this.
Get subject of original certificate
[root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -subject
Get serial of original certificate
[root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -serial serial=01
Extract info from puppetmaster cert
[root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/certs/puppetmaster.cluster.ucsf.bkslab.org.pem -text -noout \ -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux
Create certificate signing request with existing files
[root@alpha ~]# openssl req -key /root/puppet_renewal/ca/ca_key.pem -new -batch -subj "/CN=Puppet CA: alpha.ucsf.bkslab.org" -out /root/puppet_renewal/ca/ca_new.csr
Create a new CA certificate
[root@alpha ~]#openssl x509 -req -days 3650 -in /root/puppet_renewal/ca/ca_new.csr -signkey /root/puppet_renewal/ca/ca_key.pem \ -out /root/puppet_renewal/ca/ca_crt.pem -extfile /root/puppet_renewal/renewpuppet.cnf -extensions v3_ca -set_serial 1 Signature ok subject=/CN=Puppet CA: alpha.ucsf.bkslab.org Getting Private key
Get serial number for your existing CA
[root@alpha puppet_renewal]# echo $((0x`cat /var/lib/puppet/ssl/ca/serial`)) 451
Create new certificate signing request with puppet server's key
[root@alpha ~]# openssl req -key /root/puppet_renewal/puppetmaster/private_keys/puppetmaster.cluster.ucsf.bkslab.org.pem -new \ -batch -subj "/CN=alpha.ucsf.bkslab.org" -out /root/puppet_renewal/mypuppetmaster.csr
Create new puppet master's certificate
[root@alpha ~]# # openssl x509 -extfile /root/puppet_renewal/renewpuppet.cnf -extensions v3 -req -days 1825 -in /root/puppet_renewal/mypuppetmaster.csr \ -CA /root/puppet_renewal/ca/ca_crt.pem -CAkey /root/puppet_renewal/ca/ca_key.pem -CAcreateserial \ -out /root/puppet_renewal/puppetmaster/certs/puppetmaster.cluster.ucsf.bkslab.org.pem -sha256 -set_serial 451
Investigate /etc/foreman/ssl/README
cluster2 on foreman
#openssl genrsa -aes128 -out foreman.key 2048 openssl genrsa -out foreman.key 2048 openssl req -new -out foreman.csr -key foreman.key -config foreman.cnf openssl req -text -in foreman.csr -noout openssl x509 -req -in foreman.csr -CA /var/lib/puppet/ssl/ca/ca_crt.pem -CAkey /var/lib/puppet/ssl/ca/ca_key.pem -CAserial /var/lib/puppet/ssl/ca/serial -out foreman.crt -days 1730 openssl rsa -in foreman.key -out foreman.key-unlocked ln -s foreman.key-unlocked key.pem ln -s foreman.crt cert.pem