Puppet 简明教程
Puppet - SSL Sign Certificate Setup
Puppet 代理软件首次在任何 Puppet 节点上运行时,它将生成一个证书并向 Puppet 主服务器发送证书签名请求。Puppet 服务器在能够通信和控制代理节点之前必须签署该特定代理节点的证书。在以下各部分,我们将描述如何签署和检查签名请求。
When the Puppet agent software runs for the first time on any Puppet node, it generates a certificate and sends the certificate signing request to the Puppet master. Before the Puppet server is able to communicate and control the agent nodes, it must sign that particular agent node’s certificate. In the following sections, we will describe how to sign and check for the signing request.
List Current Certificate Requests
在 Puppet 主服务器上,运行以下命令以查看所有未签名的证书请求。
On the Puppet master, run the following command to see all unsigned certificate requests.
$ sudo /opt/puppetlabs/bin/puppet cert list由于我们刚刚设置了一个新的代理节点,因此我们将看到一条请求审批。以下将是 output 。
As we have just set up a new agent node, we will see one request for approval. Following will be the output.
"Brcleprod004.brcl.com" (SHA259)
15:90:C2:FB:ED:69:A4:F7:B1:87:0B:BF:F7:ll:
B5:1C:33:F7:76:67:F3:F6:45:AE:07:4B:F 6:E3:ss:04:11:8d它开头没有包含任何 +(签名),这表明证书仍未签署。
It does not contain any + (sign) in the beginning, which indicates that the certificate is still not signed.
Sign a Request
为了签署在 Puppet 代理在新节点上运行时生成的新的证书请求,将使用 Puppet cert sign 命令,其中包含证书的主机名,该主机名由需要签署的新配置的节点生成。由于我们有 Brcleprod004.brcl.com 的证书,因此我们将使用以下命令。
In order to sign the new certificate request which was generated when the Puppet agent run took place on the new node, the Puppet cert sign command would be used, with the host name of the certificate, which was generated by the newly configured node that needs to be signed. As we have Brcleprod004.brcl.com’s certificate, we will use the following command.
$ sudo /opt/puppetlabs/bin/puppet cert sign Brcleprod004.brcl.com以下是 output 。
Following will be the output.
Notice: Signed certificate request for Brcle004.brcl.com
Notice: Removing file Puppet::SSL::CertificateRequest Brcle004.brcl.com at
'/etc/puppetlabs/puppet/ssl/ca/requests/Brcle004.brcl.com.pem'puppet sever 现在可以通信到节点,其中属于签名证书。
The puppet sever can now communicate to the node, where the sign certificate belongs.
$ sudo /opt/puppetlabs/bin/puppet cert sign --allRevoking the Host from the Puppet Setup
当需要从设置中删除主机并重新添加它时,内核重建的配置存在条件。这些是 Puppet 本身无法管理的条件。它可以使用以下命令来完成。
There are conditions on configuration of kernel rebuild when it needs to removing the host from the setup and adding it again. These are those conditions which cannot be managed by the Puppet itself. It could be done using the following command.
$ sudo /opt/puppetlabs/bin/puppet cert clean hostnameViewing All Signed Requests
以下命令将生成已签名的证书列表,其中 +(签名)表示已批准请求。
The following command will generate a list of signed certificates with + (sign) which indicates that the request is approved.
$ sudo /opt/puppetlabs/bin/puppet cert list --all以下是其 output 。
Following will be its output.
+ "puppet" (SHA256) 5A:71:E6:06:D8:0F:44:4D:70:F0:
BE:51:72:15:97:68:D9:67:16:41:B0:38:9A:F2:B2:6C:B
B:33:7E:0F:D4:53 (alt names: "DNS:puppet", "DNS:Brcle004.nyc3.example.com")
+ "Brcle004.brcl.com" (SHA259) F5:DC:68:24:63:E6:F1:9E:C5:FE:F5:
1A:90:93:DF:19:F2:28:8B:D7:BD:D2:6A:83:07:BA:F E:24:11:24:54:6A
+ " Brcle004.brcl.com" (SHA259) CB:CB:CA:48:E0:DF:06:6A:7D:75:E6:CB:22:BE:35:5A:9A:B3一旦完成以上操作,我们的基础设施便已准备就绪,其中 Puppet 主服务器现在能够管理新添加的节点。
Once the above is done, we have our infrastructure ready in which the Puppet master is now capable of managing newly added nodes.