Puppet

1

# Regenerating Puppet SSL Certificates

2

1

3

1

A bug in the

4

1

[Debian shipped OpenSSL libraries](http://metasploit.com/users/hdm/tools/debian-openssl/)

5

1

has caused many of us to need to entirely regenerate all of

6

1

Puppet's SSL Certificates.

7

1

8

1

The general flow for doing this:

9

1

10

1

1.  Update your openssl packages using apt-get or aptitude

11

1

2.  Stop your Puppetmaster(s)

12

1

3.  Stop Puppetd clients

13

1

4.  Remove (or rename) the certificate directories ($ssldir)

14

1

5.  Start a webrick Puppetmaster to regenerate your certificates

15

1

6.  Restart your Puppetmaster

16

1

7.  Start puppetd on all your clients

17

1

8.  Sign the certificates

18

1

19

1

## Automation

20

1

21

1

Below is a Capistrano task that will do this for you, in parallel.

22

1

It works for us, but since we're doing things like deleting

23

1

directories in parallel, make sure you understand and trust it

24

1

before you use it.

25

1

26

1

What follows are instructions on using this Capistrano task.

27

1

28

1

## Install Capistrano

29

1

30

1

    $ gem install capistrano

31

1

32

1

## Create puppet\_ssl\_cleanup.rb

33

1

34

1

Create a file called "puppet\_ssl\_cleanup.rb", using the contents

35

1

found here. (Or download the file attached to this page.)

36

1

37

1

38

1

    # Make sure you set these constants properly!

39

1

40

1

41

1

    # Set this to true if you are autosigning your certificates

42

1

    AUTOSIGN = false

43

1

44

1

    # Set this to the commands you need to run to stop your puppetmasterd

45

1

    PUPPETMASTERD_STOP = [

46

1

      "/etc/init.d/puppetmasterd stop",

47

1

      "/etc/init.d/mongrel-puppetmasterd stop",

48

1

49

1

50

1

    # Set this to the commands you need to start your puppetmasterd

51

1

    PUPPETMASTERD_START = [

52

1

      "env SVWAIT=30 /etc/init.d/mongrel-puppetmasterd start",

53

1

      "env SVWAIT=30 /etc/init.d/puppetmasterd start",

54

1

55

1

56

1

    # Set this to the commands you need to stop puppetd on the clients

57

1

    PUPPETD_STOP = [ "/etc/init.d/puppetd stop" ]

58

1

59

1

    # Set this to the commands you need to start puppetd on the clients

60

1

    PUPPETD_START = [ "/etc/init.d/puppetd start" ]

61

1

62

1

    # Set this to the location of your puppet SSL directories

63

1

    PUPPET_SSL_LOCATION = "/etc/puppet/ssl"

64

1

65

1

    # Set this to the URL of your iclassify server, if you have one

66

1

    ICLASSIFY_SERVER = "https://iclassify.sfo.trusera.com"

67

1

68

1

    has_iclassify = false

69

1

    begin

70

1

      require '/srv/icagent/lib/iclassify'

71

1

      has_iclassify = true

72

1

    rescue

73

1

end

74

1

75

1

    default_run_options[:pty] = true

76

1

77

1

    if has_iclassify

78

1

      set(:query, ENV["QUERY"]) if ENV.has_key?("QUERY")

79

1

      set(:query) do

80

1

        Capistrano::CLI.ui.ask "iClassify Query: "

81

1

      end unless exists?(:query)

82

1

83

1

      set(:password, ENV["PASSWORD"]) if ENV.has_key?("PASSWORD")

84

1

85

1

      set(:ic_user, ENV["USER"]) unless exists?(:ic_user)

86

1

      if ENV.has_key?('IC_SERVER')

87

1

        set(:ic_server, ENV["IC_SERVER"])

88

1

      else

89

1

        set(:ic_server, ICLASSIFY_SERVER)

90

1

end

91

1

92

1

      ic = IClassify::Client.new(ic_server, ic_user, password)

93

1

      ic_nodes = ic.search(query, [ 'fqdn' ])

94

1

95

1

      ic_nodes.each do |node|

96

1

        role :clients, node.attrib?('fqdn')

97

1

end

98

1

    else

99

1

      set(:clients) do

100

1

        Capistrano::CLI.ui.ask "Comma Seperated list of Clients to clean: "

101

1

      end unless exists?(:clients)

102

1

      clients.split(",").each do |c|

103

1

        role :clients, c

104

1

end

105

1

end

106

1

107

1

    # State which system the Puppet Master is

108

1

    set(:master) do

109

1

      Capistrano::CLI.ui.ask "Puppet Master FQDN:"

110

1

    end unless exists?(:master)

111

1

112

1

    role :master, master

113

1

114

1

    default_run_options[:pty] = true

115

1

116

1

    task :stop_puppetmasterd, :roles => :master do

117

1

      run_command(PUPPETMASTERD_STOP)

118

1

end

119

1

120

1

    task :start_puppetmasterd, :roles => :master do

121

1

      run_command(PUPPETMASTERD_START)

122

1

end

123

1

124

1

    task :stop_puppetd do

125

1

      run_command(PUPPETD_STOP)

126

1

end

127

1

128

1

    task :start_puppetd do

129

1

      run_command(PUPPETD_START)

130

1

end

131

1

132

1

    task :rm_certs do

133

1

      sudo("rm -rf #{PUPPET_SSL_LOCATION}")

134

1

end

135

1

136

1

    # Oh, what a dirty, dirty thing this is.

137

1

    # If you are running mongrel, though, your puppetmasterd will never re-generate your certs

138

1

    # So this is going to do the right thing for you

139

1

    # Please forgive me.

140

1

    task :generate_ca_cert, :roles => :master do

141

1

      sudo("puppetmasterd --daemonize")

142

1

      logger.info("Waiting 30 seconds for the Puppetmaster to start and generate CA")

143

1

      sleep 30

144

1

      sudo("killall -9 puppetmasterd")

145

1

end

146

1

147

1

    task :generate_certs, :roles => :clients do

148

1

      run(%{ruby -e 'i = rand(60); puts "Sleeping " + i.to_s; sleep i'})

149

1

      sudo("sh -c 'puppetd --onetime --debug --ignorecache --no-daemonize --server #{master}; exit 0'")

150

1

end

151

1

152

1

    task :sign_all, :roles => :master do

153

1

154

1

      sudo("puppetca --sign --all") if AUTOSIGN != true

155

1

end

156

1

157

1

    task :rebuild_certs do

158

1

      logger.info("Stopping Puppetmasterd")

159

1

      stop_puppetmasterd

160

1

      logger.info("Stopping Puppetd")

161

1

      stop_puppetd

162

1

      logger.info("Removing Certificates")

163

1

      rm_certs

164

1

      logger.info("Regenerating CA Certificates")

165

1

      generate_ca_cert

166

1

      logger.info("Starting Puppetmasterd")

167

1

      start_puppetmasterd

168

1

      logger.info("Running puppetd to generate certificates")

169

1

      generate_certs

170

1

      logger.info("Signing all waiting requests")

171

1

      sign_all

172

1

      logger.info("Starting Puppetd")

173

1

      start_puppetd

174

1

      logger.info("Certificates regenerated!")

175

1

end

176

1

177

1

    def run_command(const)

178

1

      const.each do |cmd|

179

1

        sudo(cmd)

180

1

end

181

1

end

182

1

183

1

At the top of the script are a set of constants, which you need to

184

1

edit for your environment. They involve how to start/stop your

185

1

puppetmasterd, puppetd, and where your SSL certificates are stored

186

1

on the filesystem. Edit those now.

187

1

188

1

## Running the Task

189

1

190

1

If you are using iClassify, you can run the task as follows:

191

1

192

1

    $ cap -f puppet_ssl_cleanup.rb -S master=fqdn_puppetmaster -S query="domain:example.com"

193

1

194

1

If you are not running iClassify (which I expect is most of you, at

195

1

this point) you will need to specify the clients to clean as well:

196

1

197

1

    $ cap -f puppet_ssl_cleanup.rb -S master=fqdn_puppetmaster -S client=fqdn1,fqdn2,fqdn3

198

1

199

1

If you need to run the script as a user other than yourself (as

200

1

root, say) add -S user=root to the command.

Regenerate Ssl