Puppet Enterprise uses a signed certificate to authenticate against the certificate authority (CA) built into Puppet Server. When the CA certificate expires, Puppet services no longer accept any certificates signed by that CA, and your Puppet infrastructure immediately stops working. If your CA certificate has expired or is nearing expiration, you can use the Bolt plans and tasks from the puppetlabs-ca_extend module to:
- Generate a CA certificate with a new expiry date using the existing CA keypair.
- Distribute the new CA certificate to your agent nodes.
- Check the expiry date of the CA cert and agent certificates.
Error messages
During a Puppet run, if the CA certificate is expired, you get an error similar to either of the following:
Info: Not using expired certificate for ca from cache; expired at <DATE> Error: Could not run: stack level too deep
Error: The certificate 'CN=Puppet Enterprise CA generated on <SERVER> at <DATE> has expired, verify time is synchronized
Version and installation information
PE version: All supported
PE installation type: All infrastructure on the primary server, with or without compilers
Bolt installation: Bolt is either installed on a client machine that can SSH to your infrastructure nodes or directly on the primary server
Bolt version: 1.8.0 and later
Solution
Use the Bolt plans and tasks from the puppetlabs-ca_extend module to:
- Generate a CA certificate with a new expiry date using the existing CA keypair.
- Distribute the new CA certificate to your agents.
- Check the expiry date of the CA cert and agent certificates.
Instructions and examples are provided in the ca_extend module documentation.
Frequently asked questions
-
When using the
compilersparameter, how does the Bolt plan to extend the CA cert,ca_extend::extend_ca_cert, communicate with compilers?Via SSH. The host that you’re running the plan from must have SSH access to your compilers.
-
Can I extend the cert by running
ca_extend::extend_ca_certusing the PE Orchestrator instead of using Bolt with SSH transport?No, the
ca_extend::extend_ca_certplan cannot be run via Puppet Communications Protocol (PCP) transport because the plan restarts services. -
Can I distribute the new CA certificate to agents by running
ca_extend::upload_ca_certusing the PE Orchestrator instead of using Bolt with SSH transport?No, the
ca_extend::upload_ca_certplan was written to be used with Bolt via SSH transport. If the original CA certificate has not yet expired, consider using Puppet to distribute the new certificate as an alternative to using theca_extend::upload_ca_certplan. Theca_extenddocs provide an example of using a Puppet file resource to distribute the new CA certificate. -
Do I have to install Bolt separately to run the Bolt plans and tasks from puppetlabs-ca_extend?
How can we improve this article?
5 comments
What version of bash is required to run
puppetlabs-ca_extend ?I have puppet master on a rhel6 server and its not supporting this task.We have tested that the module is working on RHEL6. The issue now remains Kevin's environment doesn't have Internet access in order to install Bolt and modules. Seeking commands to manually extend the ca cert.
Servers with access to external networks are typically security concerns. In these modern enterprise environments, how do we install Bolt and modules manually?
Hi Larry,
I'm going to pass the Bolt install docs on to you here, which I hope is a help: https://puppet.com/docs/bolt/latest/bolt_installing.html
We've got some practice labs for Bolt here: https://learn.puppet.com/practicelabcatalog
As the team's technical writer, I know there's several ways to install modules, so I can point you to this page, as a start: https://puppet.com/docs/pe/2021.2/managing_puppet_code.html
I'll let our Belfast team know about your questions, they might have something better to point you at.
If you need help on specifics, please go ahead and open a ticket with us.
Please sign in to leave a comment.
Related articles