Puppet Enterprise uses a signed certificate to authenticate against the certificate authority (CA) built into Puppet Server. When the expiry date for the CA certificate has passed, your agents won’t be able to check in. You can use the Bolt plans and tasks in the puppetlabs-ca_extend module to:
- Generate a CA certificate with a new expiry date.
- Distribute the CA cert to your agents.
- Check the expiry date of the CA cert and agent certificates.
Error messages
During a Puppet run, if the CA certificate is expired, you get an error similar to the following:
Info: Not using expired certificate for ca from cache; expired at <DATE> Error: Could not run: stack level too deep
Version and installation information
PE version: All supported
PE installation type: All infrastructure on the primary server, with or without compilers.
Bolt version: 1.8.0 and later
Bolt OS: A *nix OS (to run Bolt plans)
Bolt installation: On a client machine or the primary server
Solution
Install the puppetlabs-ca_extend module and its dependencies using Bolt. Use the Bolt plans and tasks to:
- Generate a CA certificate with a new expiry date.
- Distribute the CA cert to your agents.
- Check the expiry date of the CA cert and agent certificates.
In most cases, the primary server certificate was issued at installation and has the same expiry date as the CA certificate. After generating the new CA certificate, check the expiration date of the primary server certificate by running the ca_extend::check_agent_expiry task against the primary server. If the primary server certificate is expired (or close to expiration), regenerate it by following the steps in our documentation.
How can we improve this article?
5 comments
What version of bash is required to run
puppetlabs-ca_extend ?I have puppet master on a rhel6 server and its not supporting this task.We have tested that the module is working on RHEL6. The issue now remains Kevin's environment doesn't have Internet access in order to install Bolt and modules. Seeking commands to manually extend the ca cert.
Servers with access to external networks are typically security concerns. In these modern enterprise environments, how do we install Bolt and modules manually?
Hi Larry,
I'm going to pass the Bolt install docs on to you here, which I hope is a help: https://puppet.com/docs/bolt/latest/bolt_installing.html
We've got some practice labs for Bolt here: https://learn.puppet.com/practicelabcatalog
As the team's technical writer, I know there's several ways to install modules, so I can point you to this page, as a start: https://puppet.com/docs/pe/2021.2/managing_puppet_code.html
I'll let our Belfast team know about your questions, they might have something better to point you at.
If you need help on specifics, please go ahead and open a ticket with us.
Please sign in to leave a comment.
Related articles