6

During initial configuration of the Puppet agent, the agent obtains a security certificate signed by an authority recognized by the master -- most often the master itself -- with which it will subsequently identify itself to the master. Does this certificate ever expire or require an update?

John Bollinger
  • 160,171
  • 8
  • 81
  • 157
James
  • 193
  • 2
  • 4
  • 15

1 Answers1

5

Yes, all certificates signed by the Puppet CA have an expiration date, including agents' certificates, the master's certificate, and the CA's own self-signed certificate if in fact it is using such. The expiration timestamp is set by adding a fixed offset (specified by the configuration setting ca_ttl) to the date & time at which the cert is signed. The default ttl is five years, which is long enough to cover the full service life of all machines in many organizations.

More problematic than an agent's certificate expiring is the CA cert expiring. If you let that happen without configuring a new CA cert then master and nodes will thereafter reject each others' certs, forcing you to manually configure new certs for all of them.

John Bollinger
  • 160,171
  • 8
  • 81
  • 157
  • And how long does the CA cert last? or is it also 5 years? – James Oct 18 '15 at 00:47
  • The Puppet CA computes cert expiration the same way for all certs, including its own. So yes, with default settings, the CA's self-signed CA cert lasts 5 years. – John Bollinger Oct 18 '15 at 04:53