Last active
July 15, 2022 01:42
-
-
Save project0/4f795e6e5405bcd102eea63c94f8ef7e to your computer and use it in GitHub Desktop.
How to replace/update the puppet ca on expire
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #### START CUSTOM CONFIG | |
| ## | |
| # root path of all certs stuff. May be differ from default | |
| ssl_path=/etc/puppet/ssl | |
| # how many days should the certs are valid | |
| ssl_days=3650 | |
| # backup whole config with certs | |
| cp -Rv /etc/puppet /etc/puppet_20171101_ssl | |
| ## | |
| #### END CONFIG | |
| # check if the ca directory exists | |
| test -d "${ssl_path}/ca" || echo "CA directory does not exist" | |
| test -d "${ssl_path}/ca" | |
| # generate extension config for openssl with subjectAltNames for Server | |
| # the extenesions have been taken from the original certs | |
| cat > /tmp/puppet_extension.cnf <<_EOT_ | |
| [ca_extensions] | |
| basicConstraints = critical,CA:TRUE | |
| nsComment = "Puppet Ruby/OpenSSL Internal Certificate" | |
| keyUsage = critical,keyCertSign,cRLSign | |
| subjectKeyIdentifier = hash | |
| [server_extensions] | |
| basicConstraints = critical,CA:FALSE | |
| nsComment = "Puppet Ruby/OpenSSL Internal Certificate" | |
| keyUsage = keyEncipherment, digitalSignature | |
| extendedKeyUsage = serverAuth, clientAuth | |
| subjectKeyIdentifier = hash | |
| subjectAltName = @alt_names | |
| [alt_names] | |
| DNS.1 = puppet | |
| DNS.2 = $(hostname -f) | |
| DNS.3 = puppet.$(hostname -d) | |
| _EOT_ | |
| #Stop services | |
| /etc/init.d/httpd stop | |
| /etc/init.d/puppetdb stop | |
| #### CA Cert | |
| ## | |
| # generate a new csr based on an existing cert | |
| openssl x509 -x509toreq -in "${ssl_path}/ca/ca_crt.pem" -signkey "${ssl_path}/ca/ca_key.pem" -out "/tmp/puppet_ca_csr.pem" | |
| # check csr - output extension, date, etc... | |
| openssl req -noout -text -in "/tmp/puppet_ca_csr.pem" | |
| # generate and sign new CA certificate | |
| openssl x509 -req -days $ssl_days -in "/tmp/puppet_ca_csr.pem" -signkey "${ssl_path}/ca/ca_key.pem" \ | |
| -out "/tmp/puppet_ca_crt.pem" -extfile /tmp/puppet_extension.cnf -extensions ca_extensions | |
| # check new cert - ooutput extension, date, etc... | |
| openssl x509 -noout -text -in "/tmp/puppet_ca_crt.pem" | |
| # !! Now things go real !! | |
| # if looks good, lets replace the CA cert | |
| mv -v "/tmp/puppet_ca_crt.pem" "${ssl_path}/ca/ca_crt.pem" | |
| #### Puppet Server Cert | |
| ## | |
| # generate csr | |
| openssl x509 -x509toreq -in "${ssl_path}/certs/$(hostname -f).pem" -signkey "${ssl_path}/private_keys/$(hostname -f).pem" -out "/tmp/puppet_server_csr.pem" | |
| # check csr - output extension, date, etc... | |
| openssl req -noout -text -in "/tmp/puppet_server_csr.pem" | |
| # generate and sign certificate against the (new) puppet CA | |
| openssl x509 -req -days $ssl_days -in "/tmp/puppet_server_csr.pem" \ | |
| -CA "${ssl_path}/ca/ca_crt.pem" -CAkey "${ssl_path}/ca/ca_key.pem" -CAserial "${ssl_path}/ca/serial" \ | |
| -out "/tmp/puppet_server_crt.pem" -extfile /tmp/puppet_extension.cnf -extensions server_extensions | |
| # check new cert - ooutput extension, date, etc... | |
| openssl x509 -noout -text -in "/tmp/puppet_server_crt.pem" | |
| # !! Now things go real !! | |
| # if looks good, lets replace the server cert | |
| mv -v "/tmp/puppet_server_crt.pem" "${ssl_path}/certs/$(hostname -f).pem" | |
| #### Puppetdb | |
| ## | |
| cp "${ssl_path}/ca/ca_crt.pem" /etc/puppetdb/ssl/ca.pem | |
| cp "${ssl_path}/certs/$(hostname -f).pem" /etc/puppetdb/ssl/public.pem | |
| cp "${ssl_path}/private_keys/$(hostname -f).pem" /etc/puppetdb/ssl/private.pem | |
| chown puppetdb:puppetdb /etc/puppetdb/ssl/*.pem | |
| chmod 0640 /etc/puppetdb/ssl/*.pem | |
| # ensure puppet agent on master uses new cert | |
| cp "${ssl_path}/certs/$(hostname -f).pem" "/var/lib/puppet/ssl/certs/$(hostname -f).pem" | |
| /etc/init.d/puppet restart | |
| #start services | |
| /etc/init.d/httpd start | |
| /etc/init.d/puppetdb start | |
| /etc/init.d/mcollective restart | |
| #### Whats next??? | |
| ## | |
| # Restart puppet server, eventually check puppet db to replace against a new cert as well /etc/puppetdb/ssl | |
| # | |
| # Everything should still work, but with the new CA cert | |
| # | |
| # Now replace the CA cert on all clients by puppet (or by hand), inspired by puppetlabs-certregen: | |
| # | |
| # put this stuff into an module and apply on all hosts: | |
| # fact, get path of the client cacert. | |
| # | |
| ## lib/facter/localcacert.rb: | |
| # | |
| # Facter.add(:localcacert) do | |
| # setcode { Puppet[:localcacert] } | |
| # end | |
| # | |
| ## puppet code: | |
| # | |
| # file { $::localcacert: | |
| # ensure => present, | |
| # # write first cacert from puppet server otherwise set the current cacert as backup | |
| # content => file($settings::cacert, $settings::localcacert), | |
| # owner => 'puppet', | |
| # group => 'puppet', | |
| # mode => '0644', | |
| # } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment