Skip to main content

Check and fix the expiry date for your CA certificate in Puppet Enterprise

Adrian Parreiras Horta
  • Updated
Did this solve your problem?
2 out of 3 found this helpful

Puppet Enterprise uses a signed certificate to authenticate against the certificate authority (CA) built into Puppet Server. When the expiry date for the CA certificate has passed, your agents won’t be able to check in. You can use the Bolt plans and tasks in the puppetlabs-ca_extend module to:

  • Generate a CA certificate with a new expiry date.
  • Distribute the CA cert to your agents.
  • Check the expiry date of the CA cert and agent certificates.

Error messages

During a Puppet run, if the CA certificate is expired, you get an error similar to the following:

Info: Not using expired certificate for ca from cache; expired at <DATE> Error: Could not run: stack level too deep

Version and installation information

PE version: All supported
PE installation type: All infrastructure on the primary server, with or without compilers.
Bolt version: 1.8.0 and later
Bolt OS: A *nix OS (to run Bolt plans)
Bolt installation: On a client machine or the primary server

Solution

Install the puppetlabs-ca_extend module and its dependencies using Bolt. Use the Bolt plans and tasks to:

  • Generate a CA certificate with a new expiry date.
  • Distribute the CA cert to your agents.
  • Check the expiry date of the CA cert and agent certificates.

In most cases, the primary server certificate was issued at installation and has the same expiry date as the CA certificate. After generating the new CA certificate, check the expiration date of the primary server certificate by running the ca_extend::check_agent_expiry task against the primary server. If the primary server certificate is expired (or close to expiration), regenerate it by following the steps in our documentation.

Related articles

Comments

5 comments

Date Votes
  • Kevin Alexander

    What version of bash is required to run puppetlabs-ca_extend ? 

    I have puppet master on a rhel6 server and its not supporting this task.

    0
  • Henry Wang

    We have tested that the module is working on RHEL6. The issue now remains Kevin's environment doesn't have Internet access in order to install Bolt and modules. Seeking commands to manually extend the ca cert.

    -2
  • Larry Church

    Servers with access to external networks are typically security concerns. In these modern enterprise environments, how do we install Bolt and modules manually?

     

    0
  • Suzie Baunsgard

    Hi Larry, 

    I'm going to pass the Bolt install docs on to you here, which I hope is a help: https://puppet.com/docs/bolt/latest/bolt_installing.html

    We've got some practice labs for Bolt here: https://learn.puppet.com/practicelabcatalog

    As the team's technical writer, I know there's several ways to install modules, so I can point you to this page, as a start: https://puppet.com/docs/pe/2021.2/managing_puppet_code.html

    I'll let our Belfast team know about your questions, they might have something better to point you at. 

    0
  • Suzie Baunsgard

    If you need help on specifics, please go ahead and open a ticket with us.

    0

Please sign in to leave a comment.