Puppet 证书管理


查看证书。

[root@lost1 ssl]# puppet cert --list --all
+ "lost1.com" (SHA256) 63:6B:DE:7E:E6:DA:68:71:90:23:42:64:19:9F:A1:36:B7:14:D8:56:3C:8E:AD:C9:E9:2E:DC:4E:81:FF:33:8F (alt names: "DNS:lost1.com", "DNS:puppet", "DNS:puppet.com")
+ "lost2.com" (SHA256) 56:BE:3A:B5:6C:5C:73:7E:31:0C:30:88:49:3E:9D:E5:37:D1:61:F9:C4:6C:66:75:46:0D:6A:4B:6D:8D:A6:99
+ "lost3.com" (SHA256) 8F:53:A5:BC:1E:BA:11:DF:AB:8E:86:C3:C9:5E:9C:F4:F2:67:E6:76:EA:E5:58:13:2D:B2:39:12:79:66:F2:A3

撤销证书。

[root@lost1 ssl]# puppet cert revoke lost2.com
Notice: Revoked certificate with serial 4
[root@lost1 ssl]# puppet cert --list --all
+ "lost1.com" (SHA256) 63:6B:DE:7E:E6:DA:68:71:90:23:42:64:19:9F:A1:36:B7:14:D8:56:3C:8E:AD:C9:E9:2E:DC:4E:81:FF:33:8F (alt names: "DNS:lost1.com", "DNS:puppet", "DNS:puppet.com")
+ "lost3.com" (SHA256) 8F:53:A5:BC:1E:BA:11:DF:AB:8E:86:C3:C9:5E:9C:F4:F2:67:E6:76:EA:E5:58:13:2D:B2:39:12:79:66:F2:A3
- "lost2.com" (SHA256) 56:BE:3A:B5:6C:5C:73:7E:31:0C:30:88:49:3E:9D:E5:37:D1:61:F9:C4:6C:66:75:46:0D:6A:4B:6D:8D:A6:99 (certificate revoked)

删除证书。

[root@lost1 ssl]# puppet cert clean lost2.com
Notice: Revoked certificate with serial 4
Notice: Removing file Puppet::SSL::Certificate lost2.com at '/var/lib/puppet/ssl/ca/signed/lost2.com.pem'
Notice: Removing file Puppet::SSL::Certificate lost2.com at '/var/lib/puppet/ssl/certs/lost2.com.pem'
[root@lost1 ssl]# puppet cert --list --all
+ "lost1.com" (SHA256) 63:6B:DE:7E:E6:DA:68:71:90:23:42:64:19:9F:A1:36:B7:14:D8:56:3C:8E:AD:C9:E9:2E:DC:4E:81:FF:33:8F (alt names: "DNS:lost1.com", "DNS:puppet", "DNS:puppet.com")
+ "lost3.com" (SHA256) 8F:53:A5:BC:1E:BA:11:DF:AB:8E:86:C3:C9:5E:9C:F4:F2:67:E6:76:EA:E5:58:13:2D:B2:39:12:79:66:F2:A3

有时撤销认证后,agent 端重新申请认证会报错。
撤销证书后不能再次认证.png
在 agent 端删除证书。

[root@lost2 test]# rm -rf /var/lib/puppet/*

重新申请认证。

[root@lost2 test]# puppet agent --server lost1.com --test
Info: Creating a new SSL key for lost2.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for lost2.com
Info: Certificate Request fingerprint (SHA256): 91:E0:A5:F9:01:C8:E6:CA:4D:21:00:EC:B2:D4:5F:66:C8:3F:86:3F:9A:DA:80:89:B7:7A:BF:23:09:2F:00:02
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

通过认证申请。

[root@lost1 ssl]# puppet cert --sign lost2.com
Notice: Signed certificate request for lost2.com
Notice: Removing file Puppet::SSL::CertificateRequest lost2.com at '/var/lib/puppet/ssl/ca/requests/lost2.com.pem'
[root@lost1 ssl]# puppet cert --list --all
+ "lost1.com" (SHA256) 63:6B:DE:7E:E6:DA:68:71:90:23:42:64:19:9F:A1:36:B7:14:D8:56:3C:8E:AD:C9:E9:2E:DC:4E:81:FF:33:8F (alt names: "DNS:lost1.com", "DNS:puppet", "DNS:puppet.com")
+ "lost2.com" (SHA256) 49:A2:CC:71:41:65:D1:90:2B:C1:1C:9B:E4:B4:D5:1E:C4:42:DC:17:AA:AC:B6:91:2E:53:57:82:69:08:63:BE
+ "lost3.com" (SHA256) 8F:53:A5:BC:1E:BA:11:DF:AB:8E:86:C3:C9:5E:9C:F4:F2:67:E6:76:EA:E5:58:13:2D:B2:39:12:79:66:F2:A3
[root@lost1 ssl]# 

已经认证成功。

[root@lost2 test]# puppet agent --test
Info: Caching certificate for lost2.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for lost2.com
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for lost2.com
Info: Applying configuration version '1456293592'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.22 seconds
[root@lost2 test]# 
分享:

评论