Renewing Puppet Certificates: Difference between revisions

From DISI
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
On March 7th of 2019, our SSL certificates for Puppet/Foreman and TLS LDAP all reached their five year expiration period.  This has caused Puppet and Foreman to stop working and our authentication server cannot be accessed.  I cannot create new users that are recognized by the cluster.  And users cannot login to machines that they have previously never logged into.  You can imagine the trouble this has caused.  As of March 22, I have not solved this yet but I will be documenting my attempts to fix this.   
On March 7th of 2019, our SSL certificates for Puppet/Foreman and TLS LDAP all reached their five year expiration period.  This has caused Puppet and Foreman to stop working and our authentication server cannot be accessed.  I cannot create new users that are recognized by the cluster.  And users cannot login to machines that they have previously never logged into.  You can imagine the trouble this has caused.  As of March 22, I have not solved this yet but I will be documenting my attempts to fix this.   


# Get subject of original certificate
Get subject of original certificate
  [root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -subject
  [root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -subject


# Get serial of original certificate
Get serial of original certificate
  [root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -serial
  [root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -serial
  serial=01
  serial=01


# Extract info from puppetmaster cert
Extract info from puppetmaster cert
  [root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/certs/puppetmaster.cluster.ucsf.bkslab.org.pem -text -noout \
  [root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/certs/puppetmaster.cluster.ucsf.bkslab.org.pem -text -noout \
  -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux
  -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux


# Create certificate signing request with existing files  
Create certificate signing request with existing files  
  [root@alpha ~]# openssl req -key /root/puppet_renewal-20190321/ca/ca_key.pem -new -batch -subj "/CN=Puppet CA: alpha.ucsf.bkslab.org" -out /root/puppet_renewal-20190321/ca/ca_new.csr
  [root@alpha ~]# openssl req -key /root/puppet_renewal-20190321/ca/ca_key.pem -new -batch -subj "/CN=Puppet CA: alpha.ucsf.bkslab.org" -out /root/puppet_renewal-20190321/ca/ca_new.csr


# Create a new CA certificate
Create a new CA certificate
  [root@alpha ~]#openssl x509 -req -days 3650 -in /root/puppet_renewal-20190321/ca/ca_new.csr -signkey /root/puppet_renewal-20190321/ca/ca_key.pem \
  [root@alpha ~]#openssl x509 -req -days 3650 -in /root/puppet_renewal-20190321/ca/ca_new.csr -signkey /root/puppet_renewal-20190321/ca/ca_key.pem \
  -out /root/puppet_renewal-20190321/ca/ca_crt.pem -extfile /root/puppet_renewal-20190321/renewpuppet.cnf -extensions v3_ca -set_serial 1
  -out /root/puppet_renewal-20190321/ca/ca_crt.pem -extfile /root/puppet_renewal-20190321/renewpuppet.cnf -extensions v3_ca -set_serial 1
Line 22: Line 22:
  Getting Private key
  Getting Private key


# Get serial number for your existing CA
Get serial number for your existing CA
  [root@alpha puppet_renewal-20190321]# echo $((0x`cat /var/lib/puppet/ssl/ca/serial`))
  [root@alpha puppet_renewal-20190321]# echo $((0x`cat /var/lib/puppet/ssl/ca/serial`))
  451
  451
Create new certificate signing request with puppet server's key
openssl req -key /root/puppet_renewal-20190321/puppetmaster/private_keys/puppetmaster.cluster.ucsf.bkslab.org.pem -new \
-batch -subj "/CN=alpha.ucsf.bkslab.org" -out /root/puppet_renewal-20190321/mypuppetmaster.csr
Create new puppet master's certificate
openssl x509 -extfile /root/puppet_renewal-20190321/renewpuppet.cnf -extensions v3 -req -days 1825 -in /root/puppet_renewal-20190321/mypuppetmaster.csr \
-CA /root/puppet_renewal/ca/ca_crt.pem -CAkey /root/puppet_renewal-20190321/ca/ca_key.pem -CAcreateserial \
-out /root/puppet_renewal-20190321/puppetmaster/certs/puppetmaster.cluster.ucsf.bkslab.org.pem -sha256 -set_serial 451

Revision as of 21:31, 22 March 2019

On March 7th of 2019, our SSL certificates for Puppet/Foreman and TLS LDAP all reached their five year expiration period. This has caused Puppet and Foreman to stop working and our authentication server cannot be accessed. I cannot create new users that are recognized by the cluster. And users cannot login to machines that they have previously never logged into. You can imagine the trouble this has caused. As of March 22, I have not solved this yet but I will be documenting my attempts to fix this.

Get subject of original certificate

[root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -subject

Get serial of original certificate

[root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -serial
serial=01

Extract info from puppetmaster cert

[root@alpha ~]# openssl x509 -in /var/lib/puppet/ssl/certs/puppetmaster.cluster.ucsf.bkslab.org.pem -text -noout \
-certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux

Create certificate signing request with existing files

[root@alpha ~]# openssl req -key /root/puppet_renewal-20190321/ca/ca_key.pem -new -batch -subj "/CN=Puppet CA: alpha.ucsf.bkslab.org" -out /root/puppet_renewal-20190321/ca/ca_new.csr

Create a new CA certificate

[root@alpha ~]#openssl x509 -req -days 3650 -in /root/puppet_renewal-20190321/ca/ca_new.csr -signkey /root/puppet_renewal-20190321/ca/ca_key.pem \
-out /root/puppet_renewal-20190321/ca/ca_crt.pem -extfile /root/puppet_renewal-20190321/renewpuppet.cnf -extensions v3_ca -set_serial 1
Signature ok
subject=/CN=Puppet CA: alpha.ucsf.bkslab.org
Getting Private key

Get serial number for your existing CA

[root@alpha puppet_renewal-20190321]# echo $((0x`cat /var/lib/puppet/ssl/ca/serial`))
451

Create new certificate signing request with puppet server's key

openssl req -key /root/puppet_renewal-20190321/puppetmaster/private_keys/puppetmaster.cluster.ucsf.bkslab.org.pem -new \
-batch -subj "/CN=alpha.ucsf.bkslab.org" -out /root/puppet_renewal-20190321/mypuppetmaster.csr

Create new puppet master's certificate

openssl x509 -extfile /root/puppet_renewal-20190321/renewpuppet.cnf -extensions v3 -req -days 1825 -in /root/puppet_renewal-20190321/mypuppetmaster.csr \
-CA /root/puppet_renewal/ca/ca_crt.pem -CAkey /root/puppet_renewal-20190321/ca/ca_key.pem -CAcreateserial \
-out /root/puppet_renewal-20190321/puppetmaster/certs/puppetmaster.cluster.ucsf.bkslab.org.pem -sha256 -set_serial 451