Lector de Feeds

Add Puppet link

← Older revision Revision as of 23:05, 8 February 2026 Line 29: Line 29:       # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/openldap/ldap.mageia.org.pem -out /etc/ssl/openldap/ldap.mageia.org.pem -subj '/CN=ldap.mageia.org'      # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/openldap/ldap.mageia.org.pem -out /etc/ssl/openldap/ldap.mageia.org.pem -subj '/CN=ldap.mageia.org'     += Puppet certificates =  +  +See [[Puppet_re-newing_CA_&_Certs]].     = Wild card certificate = = Wild card certificate = Danf

Describe {media}{bootloader_entries}{message} key (coming in v1.23)

← Older revision Revision as of 21:17, 8 February 2026 (One intermediate revision by the same user not shown)Line 550: Line 550:     <div style="padding-left: 3em;"> <div style="padding-left: 3em;">  +  +{{cmd|message}} (optional)  +  +:({{prog|draklive2}} v1.23 or later)  +  +:An arbitrary string specifying the message that will be briefly displayed after the menu entry is selected. This is displayed using the GRUB2 {{cmd|echo}} command just before executing the following GRUB2 command.  +  +:If not specified, no message will be displayed.     {{cmd|command}} (optional) {{cmd|command}} (optional) Line 584: Line 592:     :If not specified, {{prog|draklive2}} will use {{prog|grub2-mkimage}} to build the El Torito boot loader image. :If not specified, {{prog|draklive2}} will use {{prog|grub2-mkimage}} to build the El Torito boot loader image.  +  +===== {{cmd|iso_level}} (optional) =====  +  +:({{prog|draklive2}} v1.22 or later)  +  +:A number specifying the ISO 9660 conformance level for the iso9660 filesystem. This should be an integer number between 1 and 3. Level 3 allows the {{file|/loopbacks.distrib.sqfs}} file size to exceed 4GB.  +  +:If not specified, a level 3 iso9660 filesystem will be created.     ===== {{cmd|iso_part_start}} (optional) ===== ===== {{cmd|iso_part_start}} (optional) ===== Martinw

Maat moved page Puppet REeewing Certs to Puppet re-newing CA & Certs Just renaming

New page

'''Nota : Last update 8 feb 2026 -> Next renewal before feb 2031'''

= Puppet 2/3 PKI Management =

== Context ==

Puppet v2/v3 does not support automatic CA renewal.

The Puppet CA certificate has a limited lifespan (typically ~5 years by default).

Before or after expiration, the procedure is the same: regenerate the full PKI (master + agents).

Operational difference:
Before expiration → planned maintenance, minimal disruption.
After expiration → agents stop communicating, urgent manual intervention required.

== CA / PKI Rotation Procedure ==

=== 1. On the Puppet Master ===

# Stop the Puppet service:
service puppetmaster stop

# Backup the existing PKI:
mv /var/lib/puppet/ssl /var/lib/puppet/ssl.old.$(date +%F)

# Remove the old PKI:
mkdir /var/lib/puppet/ssl
chown puippet:puppet /var/lib/puppet/ssl/
chmod 775 /var/lib/puppet/ssl/

# Generate a new CA and master certificate:
puppet cert generate $(hostname -f) --ca

# Restart the Puppet service:
service puppetmaster start

=== 2. On each Puppet Agent ===

Remove the local SSL certificates:

# Stop puppet agent
systemctl stop puppet

# Remove old ssl
mv /var/lib/puppet/ssl /var/lib/puppet/ssl.old.$(date +%F)
mkdir /var/lib/puppet/ssl
chown puippet:puppet /var/lib/puppet/ssl/
chmod 775 /var/lib/puppet/ssl/

# Start puppet agent
systemctl start puppet

=== 3. Back on Puppet Master ===

# On the master, list unsigned agent certificates
puppet cert list

# Sign agent certificates:
puppet cert sign <agent_hostname>

=== 4. On each Puppet Agent ===

# Re-run Puppet on the agent:
systemctl restart puppet

=== 5. Verification ===

On the master:

openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -dates

On each agent:

puppet agent -t --verbose

Expected outcome: Puppet applies the catalog without SSL errors.

== Best Practices ==

Monitor CA expiration with:

openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -enddate

Schedule rotation before expiration (e.g., 90 days prior).

Backup the entire /var/lib/puppet/ssl directory before any changes.

Ensure master hostname (FQDN) and system time are correct.

[[Category:Sysadmin]] Maat

Puppet CA & Certs renewal every 5 year

New page

'''Nota : Last update 8 feb 2026 -> Next renewal before feb 2031'''

= Puppet 2/3 PKI Management =

== Context ==

Puppet v2/v3 does not support automatic CA renewal.

The Puppet CA certificate has a limited lifespan (typically ~5 years by default).

Before or after expiration, the procedure is the same: regenerate the full PKI (master + agents).

Operational difference:
Before expiration → planned maintenance, minimal disruption.
After expiration → agents stop communicating, urgent manual intervention required.

== CA / PKI Rotation Procedure ==

=== 1. On the Puppet Master ===

# Stop the Puppet service:
service puppetmaster stop

# Backup the existing PKI:
mv /var/lib/puppet/ssl /var/lib/puppet/ssl.old.$(date +%F)

# Remove the old PKI:
mkdir /var/lib/puppet/ssl
chown puippet:puppet /var/lib/puppet/ssl/
chmod 775 /var/lib/puppet/ssl/

# Generate a new CA and master certificate:
puppet cert generate $(hostname -f) --ca

# Restart the Puppet service:
service puppetmaster start

=== 2. On each Puppet Agent ===

Remove the local SSL certificates:

# Stop puppet agent
systemctl stop puppet

# Remove old ssl
mv /var/lib/puppet/ssl /var/lib/puppet/ssl.old.$(date +%F)
mkdir /var/lib/puppet/ssl
chown puippet:puppet /var/lib/puppet/ssl/
chmod 775 /var/lib/puppet/ssl/

# Start puppet agent
systemctl start puppet

=== 3. Back on Puppet Master ===

# On the master, list unsigned agent certificates
puppet cert list

# Sign agent certificates:
puppet cert sign <agent_hostname>

=== 4. On each Puppet Agent ===

# Re-run Puppet on the agent:
systemctl restart puppet

=== 5. Verification ===

On the master:

openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -dates

On each agent:

puppet agent -t --verbose

Expected outcome: Puppet applies the catalog without SSL errors.

== Best Practices ==

Monitor CA expiration with:

openssl x509 -in /var/lib/puppet/ssl/ca/ca_crt.pem -noout -enddate

Schedule rotation before expiration (e.g., 90 days prior).

Backup the entire /var/lib/puppet/ssl directory before any changes.

Ensure master hostname (FQDN) and system time are correct.

[[Category:Sysadmin]] Maat