Hi,
Our CA cert is starting to age and is expiring in some months. So are there known procedures to replace the CA certificate ? Same to expiring client (puppet) certificates.
Regards,
Gerwin
Hi Gerwin,
Good question! I am wondering the same. Did you find a solution yet?
Regards,
Eelko B.
I partly got it done by the help from Fabinan at https://arrfab.net/posts/2019/Apr/29/renewextend-puppet-capuppetmasterd-certs/
So it seems the Puppetserver is using the new (CA) certificates and the theforeman frontend too. They all getting the certs from /etc/puppetlabs/puppet/ssl.
Issue left:
The days left in “CA Certificate Expiry Date” smartproxy still shows the old amount of days before expiring. Is it possible Foreman is getting the CA cert from /etc/pki by any chance?
When you’re using Puppetserver 5 it should be based on what puppet cert list outputs. Puppetserver 6 uses the REST API. That probably still lists the old CA.
I think the UI logic for CA is very simple in that it assumes the oldest signed certificate is the CA.
It shouldn’t be using /etc/pki.
He Ewoud,
Thanks for pointing me to the correct direction. The procedure creates a new host certificate outside the ssl/ca/signed directorie. So I did the following:
- cp /etc/puppetlabs/puppet/ssl/ca/signed/.pem cp /etc/puppetlabs/puppet/ssl/ca/signed/.old
- cp /etc/puppetlabs/puppet/ssl/certs/.pem /etc/puppetlabs/puppet/ssl/ca/signed
Now puppet cert list lists the new certificate. But indeed the Foreman frontend keeps posting the old expire date. I found out the expiry date is being found by:
def expiry
ca_cert = find_by_state('valid').select {|c| c.valid_from.present?}.min_by(&:valid_from)
if ca_cert.present?
ca_cert.expires_at
else
_("Could not locate CA certificate.")
end
end
And after this point i’m lost as my ruby knowledge is very low 
But I think the conclusion is that Foreman is not using puppet cert -all . So any clue?
This is where it should build the list of certificates from:
Note that it’s all in smart-proxy (Foreman Proxy) and Foreman only queries its proxy.
Ahh yes I found out it, and I logged it: I can confirm that /usr/bin/sudo -S /opt/puppetlabs/bin/puppet cert --ssldir /etc/puppetlabs/puppet/ssl --list --all is being executed.
The sha256 from that list matched my new certificate so thats good. But does it mean that “I think the UI logic for CA is very simple in that it assumes the oldest signed certificate is the CA.” is the cause? And so yes, should I add an bug report?
Bedankt ewoud
Although when I goto the Certificate tab under PuppetCA and I look for the hostname, it shows me the expiry date of the old certificate. Is this cashed or saved somewhere else?
Maybe the easiest solution is to revoke the old CA (and any certificates signed by it) if all new clients have migrated. Then it should no longer match find_by_state('valid') and find the newer CA.
