Puppet Cert Management

Generate a cert from the client side:
Make sure puppet is stopped and then run the init script with once -v to generate a new cert and ping the puppet master.

/etc/init.d/puppet stop && /etc/init.d/puppet once -v

Sign the cert from the puppetmaster server side:
We will sign the cert on the puppet server to authorize the client to connect and obtain configuration information.

puppet cert sign hostname.domainname

To revoke a puppet cert you run this from the puppetmaster:

puppet cert revoke hostname.domainname

And to clean up afterwards do a:

puppet cert clean hostname.domainname

Generating a new client cert:
Once a cert has been revoked and cleaned, if you run /etc/init.d/puppet once -v again, it will resend the same revoked cert, and you can not sign it from the server side. If you run “puppet cert generate”, you’ll see an error along the lines of:

“Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key”

To remove this from the client side and generate a new one do:

cd /var/lib/puppet/ssl && rm -rf ca/ca_cr* ca/ca_key.pem ca/inventory.txt ca/private/ ca/requests/ ca/signed/

Once you’ve removed all of those files, you may once again run

/etc/init.d/puppet once -v

Then on the server side:

puppet cert sign