puppet cert是管理Puppet證書簽名的指令,在agent通路master時使用的是SSL安全套接字,優點是加密雙方的通信資料,進而保證資訊安全.puppet cert指令可以實作對證書的管理、授權、回收、顯示和産生簽名檔案.
1、檢視puppet cert幫助資訊:(幫助文檔注釋過多,隻截取參數部分)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<code>[root@puppet ~]</code><code># puppet cert -h</code>
<code>* clean: </code><code>#--clean清理Master主機上存儲的所有相關證書檔案.</code>
<code> </code><code>Revoke a host's certificate (</code><code>if</code> <code>applicable) and remove all files</code>
<code> </code><code>related to that host from puppet cert's storage. This is useful when</code>
<code> </code><code>rebuilding hosts, since new certificate signing requests will only be</code>
<code> </code><code>honored </code><code>if</code> <code>puppet cert does not have a copy of a signed certificate</code>
<code> </code><code>for</code> <code>that host. If </code><code>'--all'</code> <code>is specified </code><code>then</code> <code>all host certificates,</code>
<code> </code><code>both signed and unsigned, will be removed.</code>
<code>* fingerprint: </code><code>#列印證書的算法.</code>
<code> </code><code>Print the DIGEST (defaults to the signing algorithm) fingerprint of a</code>
<code> </code><code>host's certificate.</code>
<code>* generate: </code><code>#為指定的agent client域名簽發一個證書檔案.</code>
<code> </code><code>Generate a certificate </code><code>for</code> <code>a named client. A certificate</code><code>/keypair</code> <code>will</code>
<code> </code><code>be generated </code><code>for</code> <code>each client named on the </code><code>command</code> <code>line.</code>
<code>* list: </code><code>#在Master上可以列出目前Agent機器等待簽發證書的資訊.</code>
<code> </code><code>List outstanding certificate requests. If </code><code>'--all'</code> <code>is specified, signed</code>
<code> </code><code>certificates are also listed, prefixed by </code><code>'+'</code><code>, and revoked or invalid</code>
<code> </code><code>certificates are prefixed by </code><code>'-'</code> <code>(the verification outcome is printed</code>
<code> </code><code>in</code> <code>parenthesis).</code>
<code>* print: </code><code>#列印證書的版本資訊</code>
<code> </code><code>Print the full-text version of a host's certificate.</code>
<code>* revoke: </code><code>#回收指定的Agent證書.</code>
<code> </code><code>Revoke the certificate of a client. The certificate can be specified either</code>
<code> </code><code>by its serial number (given as a hexadecimal number prefixed by </code><code>'0x'</code><code>) or by its</code>
<code> </code><code>hostname</code><code>. The certificate is revoked by adding it to the Certificate Revocation</code>
<code> </code><code>List given by the </code><code>'cacrl'</code> <code>configuration option. Note that the puppet master</code>
<code> </code><code>needs to be restarted after revoking certificates.</code>
<code>* sign: </code><code>#簽署待認證的證書請求.</code>
<code> </code><code>Sign an outstanding certificate request.</code>
<code>* verify: </code><code>#确認證書是否由本地CA簽發.</code>
<code> </code><code>Verify the named certificate against the </code><code>local</code> <code>CA certificate.</code>
<code>* reinventory:</code>
<code> </code><code>Build an inventory of the issued certificates. This will destroy the current</code>
<code> </code><code>inventory </code><code>file</code> <code>specified by </code><code>'cert_inventory'</code> <code>and recreate it from the</code>
<code> </code><code>certificates found </code><code>in</code> <code>the </code><code>'certdir'</code><code>. Ensure the puppet master is stopped</code>
<code> </code><code>before running this action.</code>
<code>OPTIONS(指令參數的子選項)</code>
<code>-------</code>
<code>Note that any setting that's valid </code><code>in</code> <code>the configuration</code>
<code>file</code> <code>is also a valid long argument. For example, </code><code>'ssldir'</code> <code>is a valid</code>
<code>setting, so you can specify </code><code>'--ssldir <directory>'</code> <code>as an</code>
<code>argument.</code>
<code>See the configuration </code><code>file</code> <code>documentation at</code>
<code>http:</code><code>//docs</code><code>.puppetlabs.com</code><code>/references/stable/configuration</code><code>.html </code><code>for</code> <code>the</code>
<code>full list of acceptable parameters. A commented list of all</code>
<code>configuration options can also be generated by running puppet cert with</code>
<code>'--genconfig'</code><code>.</code>
<code>* --all: </code><code>#所有.可以使用在'sign','clean', 'list',and 'fingerprint'。</code>
<code> </code><code>Operate on all items. Currently only makes sense with the </code><code>'sign'</code><code>,</code>
<code> </code><code>'clean'</code><code>, </code><code>'list'</code><code>, and </code><code>'fingerprint'</code> <code>actions.</code>
<code>* --digest: </code><code>#設定指紋提取的摘要(預設為使用的摘要簽署的證書)有效值為你的openssl和openssl ruby擴充版本.</code>
<code> </code><code>Set the digest </code><code>for</code> <code>fingerprinting (defaults to the digest used when</code>
<code> </code><code>signing the cert). Valid values depends on your openssl and openssl ruby</code>
<code> </code><code>extension version.</code>
<code>* --debug: </code><code>#調試模式</code>
<code> </code><code>Enable full debugging.</code>
<code>* --help:</code>
<code> </code><code>Print this help message</code>
<code>* --verbose:</code>
<code> </code><code>Enable verbosity.</code>
<code>* --version:</code>
<code> </code><code>Print the puppet version number and </code><code>exit</code><code>.</code>
<code>EXAMPLE</code>
<code> </code><code>$ puppet cert list</code>
<code> </code><code>culain.madstop.com</code>
<code> </code><code>$ puppet cert sign culain.madstop.com</code>
2、舉例示範:
後續示範依舊使用下面三台機器,直到寫完puppet文章.
192.168.30.134 puppet
192.168.30.131 sh-web1
192.168.30.132 sh-proxy2
問題:Master上沒有autosign.conf檔案,需要手動簽署認證,怎麼操作或者說這台伺服器下架,格式化完做别的用途,證書資訊怎麼處理?
1、Master上去掉autosign.conf檔案.(windows svn用戶端本地修改就行.)
<a href="https://s4.51cto.com/wyfs02/M02/A4/C3/wKioL1mw_X6haLLhAAG9MxpCRbE920.png" target="_blank"></a>
2、重新開機puppetmaster 檢視證書.(已經簽署的證書,取消autosign.conf并沒有影響.)
<code>[root@puppet puppet]</code><code># /etc/init.d/puppetmaster reload</code>
<code>Stopping puppetmaster: [ OK ]</code>
<code>Starting puppetmaster: [ OK ]</code>
<code>[root@puppet puppet]</code><code># puppet cert list --all</code>
<code>+ </code><code>"puppet"</code> <code>(SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names: </code><code>"DNS:puppet"</code><code>, </code><code>"DNS:puppet.localdomain"</code><code>)</code>
<code>+ </code><code>"puppet.localdomain"</code> <code>(SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names: </code><code>"DNS:puppet"</code><code>, </code><code>"DNS:puppet.localdomain"</code><code>)</code>
<code>+ </code><code>"sh-proxy2.localdomain"</code> <code>(SHA256) 75:85:8E:AB:74:8A:D6:8E:0B:3A:87:33:2B:BA:60:D2:81:0A:23:5F:73:A4:90:AC:8B:34:DC:A4:F3:00:41:39</code>
<code>+ </code><code>"sh-web1.localdomain"</code> <code>(SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B</code>
3、删除Master端sh-proxy2的證書認證檔案.
--revoke讓證書過期(預設證書過期時間5年,這個時間資料寫的,我沒确認過.),先讓證書過期,然後再清理.
<code>[root@puppet puppet]</code><code># puppet cert --revoke sh-proxy2.localdomain</code>
<code>Notice: Revoked certificate with serial 5</code>
<code>- </code><code>"sh-proxy2.localdomain"</code> <code>(SHA256) 75:85:8E:AB:74:8A:D6:8E:0B:3A:87:33:2B:BA:60:D2:81:0A:23:5F:73:A4:90:AC:8B:34:DC:A4:F3:00:41:39 (certificate revoked)</code>
<code> </code><code>--clean清理掉sh-proxy2.localdomain的證書.</code>
<code>[root@puppet puppet]</code><code># puppet cert --clean sh-proxy2.localdomain</code>
<code>Notice: Removing </code><code>file</code> <code>Puppet::SSL::Certificate sh-proxy2.localdomain at </code><code>'/var/lib/puppet/ssl/ca/signed/sh-proxy2.localdomain.pem'</code>
<code>Notice: Removing </code><code>file</code> <code>Puppet::SSL::Certificate sh-proxy2.localdomain at </code><code>'/var/lib/puppet/ssl/certs/sh-proxy2.localdomain.pem'</code>
<code>+ </code><code>"puppet"</code> <code>(SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names: </code><code>"DNS:puppet"</code><code>, </code><code>"DNS:puppet.localdomain"</code><code>)</code>
<code>+ </code><code>"puppet.localdomain"</code> <code>(SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names: </code><code>"DNS:puppet"</code><code>, </code><code>"DNS:puppet.localdomain"</code><code>)</code>
<code>+ </code><code>"sh-web1.localdomain"</code> <code>(SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B</code>
4、清理完puppetmaster需要重新啟動下master.
5、删除掉sh-proxy2上的證書認證資訊:
<code>[root@sh-proxy2 puppet]</code><code># find ./ -type f -name "sh-proxy2.localdomain*" -exec mv {} /tmp/ \;</code>
<code>[root@sh-proxy2 puppet]</code><code># find ./ -type f -name "sh-proxy2.localdomain*" </code>
<code>[root@sh-proxy2 puppet]</code><code># ls /tmp/</code>
<code>sh-proxy2.localdomain.json sh-proxy2.localdomain.pem yum.log</code>
<a href="https://s3.51cto.com/wyfs02/M02/06/13/wKiom1mxAOCgMyFuAAAni2bbgOM439.png" target="_blank"></a>
6、重新開機啟動puppet agent服務,證書會自動重新生成.
<code>[root@sh-proxy2 puppet]</code><code># /etc/init.d/puppet restart</code>
<code>Stopping puppet agent: [ OK ]</code>
<code>Starting puppet agent: [ OK ]</code>
<code>.</code><code>/ssl/public_keys/sh-proxy2</code><code>.localdomain.pem</code>
<code>.</code><code>/ssl/private_keys/sh-proxy2</code><code>.localdomain.pem</code>
<code>.</code><code>/ssl/certificate_requests/sh-proxy2</code><code>.localdomain.pem</code>
<a href="https://s3.51cto.com/wyfs02/M01/A4/C4/wKioL1mxAQHRNbyzAAA75jI5MTk332.png" target="_blank"></a>
7、在puppet master上檢視證書:(+代表已經簽署認證的,沒'+'代表未簽署.)
<code> </code><code>"sh-proxy2.localdomain"</code> <code>(SHA256) A6:80:BF:8F:07:0C:CB:F1:47:8C:B3:08:B8:A7:FB:A3:E8:E2:D3:7A:CE:3F:0C:E3:66:77:E8:06:18:36:82:0C</code>
8、手動簽署證書.(當然為了省事也可以puppet cert sign --all簽署所有待認證的.)
<code>[root@puppet puppet]</code><code># puppet cert sign sh-proxy2.localdomain</code>
<code>Notice: Signed certificate request </code><code>for</code> <code>sh-proxy2.localdomain</code>
<code>Notice: Removing </code><code>file</code> <code>Puppet::SSL::CertificateRequest sh-proxy2.localdomain at </code><code>'/var/lib/puppet/ssl/ca/requests/sh-proxy2.localdomain.pem'</code>
<code>+ </code><code>"sh-proxy2.localdomain"</code> <code>(SHA256) 6A:48:D0:4A:F3:4B:45:CE:D9:90:B1:FE:AA:91:6F:CB:06:50:17:BF:D1:D4:CE:1D:41:D2:9E:B5:24:AB:52:3A</code>
9、agent用戶端測試:
<code>[root@sh-proxy2 ~]</code><code># puppet agent -t</code>
<code>Info: Retrieving pluginfacts</code>
<code>Info: Retrieving plugin</code>
<code>Info: Caching catalog </code><code>for</code> <code>sh-proxy2.localdomain</code>
<code>Info: Applying configuration version </code><code>'1504752428'</code>
<code>Notice: Finished catalog run </code><code>in</code> <code>0.01 seconds</code>
注意:puppet cert list 檢視的隻是master端待認證的agent端證書,使用--all可以檢視未認證和認證的agent證書請求,'+'區分二者.
本文轉自青衫解衣 51CTO部落格,原文連結:http://blog.51cto.com/215687833/1963453
![高防伺服器、高防IP與高防CDN的差別[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)