另一种查看认证的方法:
[root@Master-node ~]# tree /var/lib/puppet/ssl/ //可以使用”yum install -y tree” 安装tree命令
/var/lib/puppet/ssl/
├── ca
│ ├── ca_crl.pem
│ ├── ca_crt.pem
│ ├── ca_key.pem
│ ├── ca_pub.pem
│ ├── inventory.txt
│ ├── private
│ │ └── ca.pass
│ ├── requests
│ ├── serial
│ └── signed
│ ├── agent-node1.pem
│ ├── agent-node2.pem
│ ├── agent-node3.pem
│ └── master-node.pem
├── certificate_requests
├── certs
│ ├── ca.pem
│ └── master-node.pem
├── crl.pem
├── private
├── private_keys
│ └── master-node.pem
└── public_keys
└── master-node.pem
最后在Agent端进行motd模块测试(即客户端取回通过的证书)
[root@Agent-node1 ~]# puppet agent –test //–test也可以替换为-t
Info: Caching certificate for agent-node1
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for agent-node1
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: undefined method `include?’ for nil:NilClass
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent-node1
Info: Applying configuration version ‘1495876267’
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.06 seconds
——————————————————————————-
也可以直接使用命令”puppet agent –no-daemonize –onetime –verbose –debug”,打印证书申请过程中的详细信息
–no-daemonize 前台输出日志
–verbose 输入更加详细的日志
–debug 更加详细的日志,排错的时候使用
–test 表示测试,就带一个–test参数就可以
——————————————————————————-
——————————-证书管理——————————
当出现问题需要重新申请证书或重新安装puppet时使用,需要注销证书和删除证书
注销证书既是要证书过期(–revoke)
[root@Master-node ~]# puppet cert –revoke agent-node1
Notice: Revoked certificate with serial 10
[root@Master-node ~]# puppet cert –list –all //如下,过期的证书签名是”-“号
+ “agent-node2” (SHA256) 63:BF:AA:C2:C5:1E:A6:64:47:72:85:B3:4B:32:3E:07:C3:70:8D:86:D3:86:53:1A:FF:F9:9E:93:46:46:CB:13
+ “agent-node3” (SHA256) 41:B1:A7:3C:E3:7D:47:32:21:4F:25:8A:5E:96:77:1A:E0:FE:45:C3:42:0C:BC:D7:0A:0A:D1:E9:BF:FA:E1:96
+ “master-node” (SHA256) DB:81:FB:58:D7:FF:DC:17:3C:C2:4D:7B:2E:DF:35:C2:F5:4D:B8:D2:AE:9D:EF:E0:73:44:11:07:C4:C2:72:23
– “agent-node1” (SHA256) 86:61:2A:99:38:54:E3:FD:E0:8F:40:D4:2D:75:83:6F:64:B6:36:E1:B0:97:0D:B5:82:9C:69:95:D2:95:98:92 (certificate revoked)
[root@Master-node ~]# puppet cert –revoke –all //注销所有证书
上面只是让证书失效,客户端连接会失败,并没有删除证书文件。
删除证书(–clean)
[root@Master-node ~]# puppet cert –clean agent-node1 //删除agent-node1证书
[root@Master-node ~]# puppet cert –clean –all //删除所有证书
证书签名的过期或删除需要重启puppetmaster服务后才能生效。
[root@Master-node ~]# /etc/init.d/puppetmaster restart
Stopping puppetmaster: [ OK ]
Starting puppetmaster: [ OK ]
重启后,puppet会给自己自动签发一个本地证书
[root@Master-node ~]# puppet cert –list –all
+ “master-node” (SHA256) 25:13:02:B7:01:44:08:E9:A0:C6:66:4F:A9:A9:93:2E:7E:E6:ED:E9:91:85:7B:65:E3:ED:26:FB:C6:7C:B6:56
注意删除证书到重新请求证书的流程:
在Master端删除证书(puppet cert –clean agent-node1)
在Agent端删除注册过的证书文件:rm -rf /var/lib/puppet/ssl/*
在Agent端重新请求证书(puppet agent —-test )
———————————————————————————————————————————————–
二、自动注册(安全系数低,效率高)
这种注册方式简单来讲是通过Puppetmaster端的ACL列表进行控制的,安全系统较低,也就是说符合预先定义的ACL列表中的所有节点请求不需要确认都会被自动注册上,
也就是说你只需要知道ACL列表要求,其次能和PuppetMaster端通信便可轻易注册成功。当然,它的最大优点就是效率非常高。
1)清除Master端已经注册的agent的证书
[root@Master-node ~]# puppet cert –clean agent-node1 //可以一个个的针对单个agent节点进行清除
[root@Master-node ~]# puppet cert –clean –all //也可以清除所有agent节点的证书
2)在agent端删除注册的所有信息,包括证书。这个很重要!!当在PupperMaster端删除agent的证书后,一定要登录对应的agent节点上执行下面的操作:删除注册过的证书,
否则再次注册就会报错失败!
[root@Agent-node1 ~]# rm -rf /var/lib/puppet/ssl/*
3)在master端编写ACL列表
设置master自动签发所有的证书
[root@Master-node ~]# vim /etc/puppet/puppet.conf //在文件底部添加下面内容
[main]
autosign = true
autosign = /etc/puppet/autosign.conf
[root@Master-node ~]# vim /etc/puppet/autosign.conf //设置下面内容,*表示允许所有域下的主机注册本Master端的证书
*
[root@Master-node ~]# /etc/init.d/puppet restart
[root@Master-node ~]# service puppetmaster restart
[root@Master-node ~]# puppet cert –list –all
+ “master-node” (SHA256) 47:D4:F5:FE:73:62:0B:51:BD:E6:BD:A5:1C:7E:04:75:72:80:5C:32:9C:E2:01:46:39:EA:3B:D9:F6:FC:A7:CE
接着在所有的Agent节点申请证书
[root@Agent-node1 ~]# puppet agent –test
Info: Creating a new SSL key for agent-node1
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for agent-node1
Info: Certificate Request fingerprint (SHA256): 79:F5:6B:9B:0C:38:68:B7:A6:C3:9E:E4:7E:19:76:8B:61:35:CA:D0:66:E4:81:B4:15:09:DB:24:ED:3F:E2:3F
Info: Caching certificate for agent-node1
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent-node1
Info: Applying configuration version ‘1495879417’
Notice: Finished catalog run in 0.05 seconds
然后在Master端查看证书是否已经自动注册上了。如下,发现已经自动注册了
[root@Master-node ~]# puppet cert –list –all
+ “agent-node1” (SHA256) EE:EE:FE:C8:41:8D:C4:42:59:59:84:FB:A3:CA:F7:20:8A:94:F5:70:5A:2F:1E:A3:D3:48:B4:70:2F:2C:76:AA
+ “agent-node2” (SHA256) 00:C7:14:7D:1B:2F:D9:5D:B9:F5:A1:24:89:FE:65:C2:CF:C7:76:58:CC:61:4F:07:4D:89:22:B2:9B:33:EF:C5
+ “agent-node3” (SHA256) 7C:24:5D:9A:BD:C6:A4:33:04:21:9E:9D:BA:F2:5F:1B:01:84:E1:C4:6C:95:2F:12:A9:7C:BE:3E:E8:48:BD:38
+ “master-node” (SHA256) 99:8A:53:84:A4:BA:38:39:72:77:E5:11:47:1B:C2:29:BE:67:07:03:5D:08:8C:A3:85:49:3F:EF:B4:9A:C4:C3
最后在Agent节点测试
[root@Agent-node1 ~]# puppet agent –test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for agent-node1
Info: Applying configuration version ‘1495879417’
Notice: Finished catalog run in 0.07 seconds
———————————————————————————————————————————————–
三、预签名注册(推荐生产环境中使用此方式进行注册,既安全又可靠!)
预签名注册是在agent端未提出申请的情况下,预先在puppet master端生成agent端的证书,然后把证书复制到agent节点对应的目录下即可注册成功,这样可以避
免自动签名的危险。这种方式安全系数最高,但是操作麻烦,需要提前预知所有节点服务器的certname名称,其次需要将生成的证书逐步copy到所有节点上去。
不过,如果你的系统中安装了kickstart或者cobbler这样的自动化工具,倒是可以将证书部分转换成脚本集成到统一自动化部署中
1)清除Master端已经注册的agent的证书
[root@Master-node ~]# puppet cert –clean –all //清除所有注册过的证书,也可以指定某个Agent节点的证书清除
[root@Master-node ~]# puppet cert –list –all //查看证书是否已清除
[root@Master-node ~]# /etc/init.d/puppetmaster restart
2)在agent端删除注册的所有信息,包括证书。
[root@Agent-node1 ~]# rm -rf /var/lib/puppet/*
3)在Master端删除自动注册ACL列表
[root@Master-node ~]# mv /etc/puppet/autosign.conf /etc/puppet/autosign.conf.bak
4)在Master端预先生成Agent证书(这个只能针对agent端的节点一个个的生成证书了)
[root@Master-node ~]# puppet cert generate agent-node1 //老版本使用命令”puppetca –generate agent-node1″
[root@Master-node ~]# puppet cert generate agent-node2
[root@Master-node ~]# puppet cert generate agent-node3
以下文章点击率最高
Loading…