This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to renew Puppet CA and Agent Certificates in 10.6.6.1

Go to solution
david_waugh
Beginner
Beginner

‎2019-09-24 02:24 PM

Hello our Netwitness infrastructure is getting quite old and was installed over 5 years ago.

As a result the Puppet CA certificate and all the agent certificates are due to expire in about 2 months time.

 

When running puppet agent -t I get the error:

 

Info: Loading facts
Info: Retrieving pluginfacts
Warning: Certificate 'Puppet CA: 7e76ca89-a38d-4759-a5ad-cbabdd122b4a' will expire on 2019-11-16T13:53:56GMT
Warning: Certificate '7e76ca89-a38d-4759-a5ad-cbabdd122b4a' will expire on 2019-11-16T13:53:57GMT
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for 7e76ca89-a38d-4759-a5ad-cbabdd122b4a
Info: Applying configuration version '1569293923'

 

Similar messages are seen on all the devices in our Netwitness infrastructure.

What are the steps needed to renew the CA and the agent certificates?

 

Note: I am aware that 10.6.6.1 is end of life in October, but it is still currently supported . Thanks for your help.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
david_waugh
Beginner
Beginner
In response to JamesMoon

‎2019-09-25 05:29 AM

Hi James,

 

I followed the steps at:

 

https://arrfab.net/posts/2019/Apr/29/renewextend-puppet-capuppetmasterd-certs/

 

as recommended and this replaced the CA Certificate.

 

I then had to replace the puppet agent certificate on the same server.

 

I replaced this with

 

puppet cert clean <node_id>

followed by deleting the existing client certificate under /var/lib/puppet/ssl/certs/

 

I then reran puppet agent -t

Which generated a new certificate

 

I then ran puppet cert sign --all

 

This then got everything working.

 

It looks like it was just the SA Server and CA that had a certificate running out. The others are good until 2022 so I can live with that.

 

Thanks for your help.

View solution in original post

3 REPLIES 3

Go to solution
JamesMoon
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2019-09-24 08:56 PM

Hi David,

 

AFAIK, puppet does not provide a functionality to auto-renew the certificate.

Hence, you need to follow steps mentioned in https://puppet.com/docs/puppet/3.8/ssl_regenerate_certificates.html to manually renew the certificate and then re-provision the hosts.

 

Do you plan to upgrade the environment to 11.3.x before the EOPS date?

In 11.3, you can renew the certificate using cert-reissue command as described in Appendix B. Reissue Certificates, so it would be much easier to renew the certificates after the migration.

 

I will send you an email from the Support case to provide you the steps for clearing the puppet certificates in 10.6.x.

 

Thanks,

James

0 Likes

Go to solution
david_waugh
Beginner
Beginner
In response to JamesMoon

‎2019-09-25 05:29 AM

Hi James,

 

I followed the steps at:

 

https://arrfab.net/posts/2019/Apr/29/renewextend-puppet-capuppetmasterd-certs/

 

as recommended and this replaced the CA Certificate.

 

I then had to replace the puppet agent certificate on the same server.

 

I replaced this with

 

puppet cert clean <node_id>

followed by deleting the existing client certificate under /var/lib/puppet/ssl/certs/

 

I then reran puppet agent -t

Which generated a new certificate

 

I then ran puppet cert sign --all

 

This then got everything working.

 

It looks like it was just the SA Server and CA that had a certificate running out. The others are good until 2022 so I can live with that.

 

Thanks for your help.

Go to solution
JamesMoon
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to david_waugh

‎2019-09-25 06:28 PM

Thanks David for the confirmation and updated steps!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.