I'm reading that the default expiry date for puppet certificates is 5 years, and can set set with the attribute ca_ttl in puppet.conf.
I have 2 questions, given a setup of many agents connecting to a puppet master.
What happens when an agents certificate expires? Does it automatically create a new one on check-in to the master, or does this need to be done manually?
What happens when the CA certificate expires? Does the setup become completely disconnected, requiring you to SSH into each agent to remove expired certificates?
Agent Certificate Expiry
When an agent's certificate expires, future agent check-ins will fail very early on. I can't remember the exact error, but it'll be something like:
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.
When that happens, you have to delete the cert from the master, regenerate the certificate on the agent and then re-sign the certificate on the master: This will only affect the one agent.
The full process is documented here: https://docs.puppet.com/pe/latest/agent_cert_regen.html
NB: This is often fairly rare, as most people try to go for a livestock not pets estate, where machines are spun up and down frequently enough that agent machines don't exist for over 5 years.
PuppetServer/master Certificate Expiry
When the CA certificate itself expires, then everything is stopped: no communication can exist because the authority itself has expired. This is more common because a Puppet Master is more likely to exist for over 5 years.
But yes: if the certificate had already expired you'd need another way to configure things, such as SSH, console access or WinRM.
Puppet actually created a helper module to help with this process, as the OpenSSL steps are a little fiddly to try and do manually:
https://github.com/puppetlabs/puppetlabs-certregen
Manual process is also here:
https://docs.puppet.com/puppet/latest/ssl_regenerate_certificates.html