puppet cert是管理Puppet证书签名的命令,在agent访问master时使用的是SSL安全套接字,优点是加密双方的通信数据,从而保证信息安全.puppet cert命令可以实现对证书的管理、授权、回收、显示和产生签名文件.
1、查看puppet cert帮助信息:(帮助文档注释过多,只截取参数部分)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
[root@puppet ~]
# puppet cert -h
* clean:
#--clean清理Master主机上存储的所有相关证书文件.
Revoke a host's certificate (
if
applicable) and remove all files
related to that host from puppet cert's storage. This is useful when
rebuilding hosts, since new certificate signing requests will only be
honored
if
puppet cert does not have a copy of a signed certificate
for
that host. If
'--all'
is specified
then
all host certificates,
both signed and unsigned, will be removed.
* fingerprint:
#打印证书的算法.
Print the DIGEST (defaults to the signing algorithm) fingerprint of a
host's certificate.
* generate:
#为指定的agent client域名签发一个证书文件.
Generate a certificate
for
a named client. A certificate
/keypair
will
be generated
for
each client named on the
command
line.
* list:
#在Master上可以列出目前Agent机器等待签发证书的信息.
List outstanding certificate requests. If
'--all'
is specified, signed
certificates are also listed, prefixed by
'+'
, and revoked or invalid
certificates are prefixed by
'-'
(the verification outcome is printed
in
parenthesis).
* print:
#打印证书的版本信息
Print the full-text version of a host's certificate.
* revoke:
#回收指定的Agent证书.
Revoke the certificate of a client. The certificate can be specified either
by its serial number (given as a hexadecimal number prefixed by
'0x'
) or by its
hostname
. The certificate is revoked by adding it to the Certificate Revocation
List given by the
'cacrl'
configuration option. Note that the puppet master
needs to be restarted after revoking certificates.
* sign:
#签署待认证的证书请求.
Sign an outstanding certificate request.
* verify:
#确认证书是否由本地CA签发.
Verify the named certificate against the
local
CA certificate.
* reinventory:
Build an inventory of the issued certificates. This will destroy the current
inventory
file
specified by
'cert_inventory'
and recreate it from the
certificates found
in
the
'certdir'
. Ensure the puppet master is stopped
before running this action.
OPTIONS(命令参数的子选项)
-------
Note that any setting that's valid
in
the configuration
file
is also a valid long argument. For example,
'ssldir'
is a valid
setting, so you can specify
'--ssldir <directory>'
as an
argument.
See the configuration
file
documentation at
http:
//docs
.puppetlabs.com
/references/stable/configuration
.html
for
the
full list of acceptable parameters. A commented list of all
configuration options can also be generated by running puppet cert with
'--genconfig'
.
* --all:
#所有.可以使用在'sign','clean', 'list',and 'fingerprint'。
Operate on all items. Currently only makes sense with the
'sign'
,
'clean'
,
'list'
, and
'fingerprint'
actions.
* --digest:
#设置指纹提取的摘要(默认为使用的摘要签署的证书)有效值为你的openssl和openssl ruby扩展版本.
Set the digest
for
fingerprinting (defaults to the digest used when
signing the cert). Valid values depends on your openssl and openssl ruby
extension version.
* --debug:
#调试模式
Enable full debugging.
* --help:
Print this help message
* --verbose:
Enable verbosity.
* --version:
Print the puppet version number and
exit
.
EXAMPLE
-------
$ puppet cert list
culain.madstop.com
$ puppet cert sign culain.madstop.com
|
2、举例演示:
后续演示依旧使用下面三台机器,直到写完puppet文章.
192.168.30.134 puppet
192.168.30.131 sh-web1
192.168.30.132 sh-proxy2
问题:Master上没有autosign.conf文件,需要手动签署认证,怎么操作或者说这台服务器下架,格式化完做别的用途,证书信息怎么处理?
1、Master上去掉autosign.conf文件.(windows svn客户端本地修改就行.)
2、重启puppetmaster 查看证书.(已经签署的证书,取消autosign.conf并没有影响.)
|
1
2
3
4
5
6
7
8
|
[root@puppet puppet]
# /etc/init.d/puppetmaster reload
Stopping puppetmaster: [ OK ]
Starting puppetmaster: [ OK ]
[root@puppet puppet]
# puppet cert list --all
+
"puppet"
(SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"puppet.localdomain"
(SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"sh-proxy2.localdomain"
(SHA256) 75:85:8E:AB:74:8A:D6:8E:0B:3A:87:33:2B:BA:60:D2:81:0A:23:5F:73:A4:90:AC:8B:34:DC:A4:F3:00:41:39
+
"sh-web1.localdomain"
(SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B
|
3、删除Master端sh-proxy2的证书认证文件.
--revoke让证书过期(默认证书过期时间5年,这个时间资料写的,我没确认过.),先让证书过期,然后再清理.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
[root@puppet puppet]
# puppet cert --revoke sh-proxy2.localdomain
Notice: Revoked certificate with serial 5
[root@puppet puppet]
# puppet cert list --all
+
"puppet"
(SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"puppet.localdomain"
(SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"sh-web1.localdomain"
(SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B
-
"sh-proxy2.localdomain"
(SHA256) 75:85:8E:AB:74:8A:D6:8E:0B:3A:87:33:2B:BA:60:D2:81:0A:23:5F:73:A4:90:AC:8B:34:DC:A4:F3:00:41:39 (certificate revoked)
--clean清理掉sh-proxy2.localdomain的证书.
[root@puppet puppet]
# puppet cert --clean sh-proxy2.localdomain
Notice: Revoked certificate with serial 5
Notice: Removing
file
Puppet::SSL::Certificate sh-proxy2.localdomain at
'/var/lib/puppet/ssl/ca/signed/sh-proxy2.localdomain.pem'
Notice: Removing
file
Puppet::SSL::Certificate sh-proxy2.localdomain at
'/var/lib/puppet/ssl/certs/sh-proxy2.localdomain.pem'
[root@puppet puppet]
# puppet cert list --all
+
"puppet"
(SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"puppet.localdomain"
(SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"sh-web1.localdomain"
(SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B
|
4、清理完puppetmaster需要重新启动下master.
|
1
2
3
4
5
6
7
|
[root@puppet puppet]
# /etc/init.d/puppetmaster reload
Stopping puppetmaster: [ OK ]
Starting puppetmaster: [ OK ]
[root@puppet puppet]
# puppet cert list --all
+
"puppet"
(SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"puppet.localdomain"
(SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"sh-web1.localdomain"
(SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B
|
5、删除掉sh-proxy2上的证书认证信息:
|
1
2
3
4
|
[root@sh-proxy2 puppet]
# find ./ -type f -name "sh-proxy2.localdomain*" -exec mv {} /tmp/ \;
[root@sh-proxy2 puppet]
# find ./ -type f -name "sh-proxy2.localdomain*"
[root@sh-proxy2 puppet]
# ls /tmp/
sh-proxy2.localdomain.json sh-proxy2.localdomain.pem yum.log
|
6、重启启动puppet agent服务,证书会自动重新生成.
|
1
2
3
4
5
6
7
|
[root@sh-proxy2 puppet]
# /etc/init.d/puppet restart
Stopping puppet agent: [ OK ]
Starting puppet agent: [ OK ]
[root@sh-proxy2 puppet]
# find ./ -type f -name "sh-proxy2.localdomain*"
.
/ssl/public_keys/sh-proxy2
.localdomain.pem
.
/ssl/private_keys/sh-proxy2
.localdomain.pem
.
/ssl/certificate_requests/sh-proxy2
.localdomain.pem
|
7、在puppet master上查看证书:(+代表已经签署认证的,没'+'代表未签署.)
|
1
2
3
4
5
|
[root@puppet puppet]
# puppet cert list --all
"sh-proxy2.localdomain"
(SHA256) A6:80:BF:8F:07:0C:CB:F1:47:8C:B3:08:B8:A7:FB:A3:E8:E2:D3:7A:CE:3F:0C:E3:66:77:E8:06:18:36:82:0C
+
"puppet"
(SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"puppet.localdomain"
(SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"sh-web1.localdomain"
(SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B
|
8、手动签署证书.(当然为了省事也可以puppet cert sign --all签署所有待认证的.)
|
1
2
3
4
5
6
7
8
|
[root@puppet puppet]
# puppet cert sign sh-proxy2.localdomain
Notice: Signed certificate request
for
sh-proxy2.localdomain
Notice: Removing
file
Puppet::SSL::CertificateRequest sh-proxy2.localdomain at
'/var/lib/puppet/ssl/ca/requests/sh-proxy2.localdomain.pem'
[root@puppet puppet]
# puppet cert list --all
+
"puppet"
(SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"puppet.localdomain"
(SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names:
"DNS:puppet"
,
"DNS:puppet.localdomain"
)
+
"sh-proxy2.localdomain"
(SHA256) 6A:48:D0:4A:F3:4B:45:CE:D9:90:B1:FE:AA:91:6F:CB:06:50:17:BF:D1:D4:CE:1D:41:D2:9E:B5:24:AB:52:3A
+
"sh-web1.localdomain"
(SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B
|
9、agent客户端测试:
|
1
2
3
4
5
6
|
[root@sh-proxy2 ~]
# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog
for
sh-proxy2.localdomain
Info: Applying configuration version
'1504752428'
Notice: Finished catalog run
in
0.01 seconds
|
注意:puppet cert list 查看的只是master端待认证的agent端证书,使用--all可以查看未认证和认证的agent证书请求,'+'区分二者.
本文转自青衫解衣 51CTO博客,原文链接:http://blog.51cto.com/215687833/1963453
