Winse Blog

走走停停, 熙熙攘攘, 忙忙碌碌, 不知何畏.

Puppet入门之域名证书

说 Puppet 入门配置过程中 90% 的问题与域名有关毫不为过!!因为节点之间的通信都需要证书验证,而证书验证和域名绑定。

主要讲讲 FQDN(Fully Qualified Domain Name) 查看和配置,以及 Puppet4.4 认证相关的操作。

环境说明

测试环境是几台云主机 ,主机名根据项目情况命名(也就是说云主机内网域名解析是不行的)。操作系统没特殊说明那么使用的是 Centos6 。

  • cu2: 服务端master,证书服务器ca
  • cu1/cu3/cu4/cu5: agent

这里列出来的是部署之前的域名情况。一步步的处理域名代码的麻烦。如果想避免不必要的烦恼,请使用 FQDN 加上

服务节点证书重新签名

安装后直接测试,默认连接的服务器是 puppet 。所以要么指定 puppet 对应主机,要么加上 –server 参数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# 默认的 puppet 服务器找不到对应的主机
[root@cu2 ~]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: getaddrinfo: Name or service not known
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: getaddrinfo: Name or service not known
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: getaddrinfo: Name or service not known
Error: Could not retrieve catalog from remote server: getaddrinfo: Name or service not known
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: getaddrinfo: Name or service not known


# 加上 域 后不通,DNS服务器不识别自定义的主机名
[root@cu2 ~]# cat /etc/resolv.conf 
; generated by /sbin/dhclient-script
search ds.ctyun
nameserver 192.168.0.1
[root@cu2 ~]# puppet agent --server cu2.ds.ctyun --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: getaddrinfo: Name or service not known
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: getaddrinfo: Name or service not known
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: getaddrinfo: Name or service not known
Error: Could not retrieve catalog from remote server: getaddrinfo: Name or service not known
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: getaddrinfo: Name or service not known
[root@cu2 ~]# ping cu2.ds.ctyun
ping: unknown host cu2.ds.ctyun


# 传说中用的 -f 参数没L用
[root@cu2 ~]# hostname -i
192.168.0.x
[root@cu2 ~]# hostname -f
cu2


# 加自定义 域 ,并重新设定 FQDN hostname。 修改主机hostname的步骤可以替换成在 /etc/resolv.conf 加 **domain eshore.cn**
[root@cu2 ~]# vi /etc/hosts
192.168.0.x cu1 cu1.eshore.cn
192.168.0.x cu2 cu2.eshore.cn

192.168.0.x cu3 cu3.eshore.cn
192.168.0.x cu4 cu4.eshore.cn
192.168.0.x cu5 cu5.eshore.cn

[root@cu2 ~]# vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=cu2.eshore.cn
[root@cu2 ~]# hostname cu2.eshore.cn
[root@cu2 ~]# hostname
cu2.eshore.cn

# 确认
[root@cu2 ~]# puppet config print certname
cu2.eshore.cn

[root@cu2 puppet]# dnsdomainname -v
gethostname()=`cu2.eshore.cn'
Resolving `cu2.eshore.cn' ...
Result: h_name=`cu2'
Result: h_aliases=`cu2.eshore.cn'
Result: h_addr_list=`192.168.0.214'

[root@cu2 puppet]# hostname -f -v
gethostname()=`cu2.eshore.cn'
Resolving `cu2.eshore.cn' ...
Result: h_name=`cu2'
Result: h_aliases=`cu2.eshore.cn'
Result: h_addr_list=`192.168.0.214'
cu2


# 清理已经为本机签发的证书
[root@cu2 ~]# puppet cert list -all
+ "cu2.ds.ctyun" (SHA256) A6:30:6D:80:A8:04:60:56:4C:F3:D5:3C:9A:5C:2A:11:6C:A6:A9:F7:6E:5E:A5:37:59:28:5B:B6:E3:D3:73:D5 (alt names: "DNS:puppet", "DNS:cu2.ds.ctyun")

[root@cu2 ~]# puppet cert clean cu2.ds.ctyun
Notice: Revoked certificate with serial 2
Notice: Removing file Puppet::SSL::Certificate cu2.ds.ctyun at '/etc/puppetlabs/puppet/ssl/ca/signed/cu2.ds.ctyun.pem'
Notice: Removing file Puppet::SSL::Certificate cu2.ds.ctyun at '/etc/puppetlabs/puppet/ssl/certs/cu2.ds.ctyun.pem'
Notice: Removing file Puppet::SSL::Key cu2.ds.ctyun at '/etc/puppetlabs/puppet/ssl/private_keys/cu2.ds.ctyun.pem'


# 由于是server节点的证书变更,重启puppetserver会重新生成/签发证书
[root@cu2 ~]# service puppetserver restart
Stopping puppetserver:                                     [  OK  ]
Starting puppetserver:                                     [  OK  ]

[root@cu2 puppet]# tree /etc/puppetlabs/puppet/ssl
/etc/puppetlabs/puppet/ssl
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── private
│   ├── requests
│   ├── serial
│   └── signed
│       └── cu2.eshore.cn.pem
├── certificate_requests
├── certs
│   ├── ca.pem
│   └── cu2.eshore.cn.pem
├── crl.pem
├── private
├── private_keys
│   └── cu2.eshore.cn.pem
└── public_keys
    └── cu2.eshore.cn.pem

9 directories, 12 files

[root@cu2 ~]# puppet agent --server cu2.eshore.cn --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for cu2.eshore.cn
Info: Applying configuration version '1461149778'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.01 seconds

Agent 重新签名

涉及到客户端域名错误,需要服务端配合清理签名请求等操作。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# 首先同步 /etc/hosts 到所有agent节点


# cu1 连接 服务器cu2
[root@cu1 ~]# puppet agent --server cu2.eshore.cn --test
Info: Creating a new SSL key for cu1.ds.ctyun
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for cu1.ds.ctyun
Info: Certificate Request fingerprint (SHA256): 4F:D6:DC:25:22:D9:44:E5:70:9F:9B:B1:0F:99:B2:AC:F5:5F:50:CE:B7:C3:AF:65:F4:E2:DF:D5:2D:6F:96:07
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled


# 在没有修改 域 的情况下,已经发送了 ds.ctyun 域 的签名请求
# 修改主机域,再发送请求
[root@cu1 ~]# vi /etc/resolv.conf 
; generated by /sbin/dhclient-script
domain eshore.cn
search ds.ctyun
nameserver 192.168.0.1

[root@cu1 ~]#  puppet config print certname
cu1.eshore.cn

[root@cu1 ~]# puppet agent --server cu2.eshore.cn --test
Info: Creating a new SSL key for cu1.eshore.cn
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for cu1.eshore.cn
Info: Certificate Request fingerprint (SHA256): B8:A1:65:B6:FE:02:87:B1:8D:0A:62:2E:FE:30:DD:B3:3B:C9:A2:B2:A1:50:11:D3:FE:03:6A:81:A6:84:C0:6B
Exiting; no certificate found and waitforcert is disabled


# 此时服务端cu2已包括了 cu1 的两个签名请求信息
[root@cu2 puppet]# puppet cert list -all
  "cu1.ds.ctyun"  (SHA256) 4F:D6:DC:25:22:D9:44:E5:70:9F:9B:B1:0F:99:B2:AC:F5:5F:50:CE:B7:C3:AF:65:F4:E2:DF:D5:2D:6F:96:07
  "cu1.eshore.cn" (SHA256) B8:A1:65:B6:FE:02:87:B1:8D:0A:62:2E:FE:30:DD:B3:3B:C9:A2:B2:A1:50:11:D3:FE:03:6A:81:A6:84:C0:6B
+ "cu2.eshore.cn" (SHA256) 3D:8E:4E:18:45:F4:8C:9B:71:7C:13:45:0D:8A:6F:A5:6E:22:D5:0E:B1:B0:54:29:47:02:AE:95:8B:E6:A6:B7 (alt names: "DNS:puppet", "DNS:cu2.eshore.cn")


# 本地清理 无效的签名请求 或者直接删除ssl目录: rm -rf /var/lib/puppet/ssl
[root@cu1 ~]# puppet certificate_request destroy cu1.ds.ctyun
Notice: Removing file Puppet::SSL::CertificateRequest cu1.ds.ctyun at '/etc/puppetlabs/puppet/ssl/certificate_requests/cu1.ds.ctyun.pem'
1


# 服务端清理 特定客户端无效请求
# http://serverfault.com/questions/574976/puppet-trying-to-configure-puppet-client-for-first-use-but-got-some-problems-wi
[root@cu2 puppet]# puppet node clean cu1.ds.ctyun 
Notice: Removing file Puppet::SSL::CertificateRequest cu1.ds.ctyun at '/etc/puppetlabs/puppet/ssl/ca/requests/cu1.ds.ctyun.pem'
cu1.ds.ctyun


# 服务端签名,客户端agent同步manifest
[root@cu2 puppet]# puppet cert sign cu1.eshore.cn
Notice: Signed certificate request for cu1.eshore.cn
Notice: Removing file Puppet::SSL::CertificateRequest cu1.eshore.cn at '/etc/puppetlabs/puppet/ssl/ca/requests/cu1.eshore.cn.pem'

[root@cu1 ~]# puppet agent --server cu2.eshore.cn --test
Info: Caching certificate_revocation_list for ca
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for cu1.eshore.cn
Info: Applying configuration version '1461156849'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.01 seconds

其他修改主机域后统一签名:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@cu2 puppet]# puppet cert list 
  "cu3.eshore.cn" (SHA256) 16:CB:A3:6D:21:69:78:D0:0D:37:1F:A7:C1:86:2E:55:7F:B1:60:77:05:EC:F5:37:81:12:28:73:61:1A:4F:20
  "cu4.eshore.cn" (SHA256) CB:80:64:BD:B8:56:56:43:90:11:D4:B2:A9:7B:D8:DC:E4:0C:8D:5A:71:0B:FF:97:65:20:F5:B4:D7:15:11:B6
  "cu5.eshore.cn" (SHA256) D6:9A:B0:93:98:94:D2:D2:E3:A9:55:24:EC:7A:E0:13:48:5B:26:16:6C:5A:B6:11:F5:7C:F2:56:E4:DA:D8:31
[root@cu2 puppet]# puppet cert sign --all
Notice: Signed certificate request for cu5.eshore.cn
Notice: Removing file Puppet::SSL::CertificateRequest cu5.eshore.cn at '/etc/puppetlabs/puppet/ssl/ca/requests/cu5.eshore.cn.pem'
Notice: Signed certificate request for cu4.eshore.cn
Notice: Removing file Puppet::SSL::CertificateRequest cu4.eshore.cn at '/etc/puppetlabs/puppet/ssl/ca/requests/cu4.eshore.cn.pem'
Notice: Signed certificate request for cu3.eshore.cn
Notice: Removing file Puppet::SSL::CertificateRequest cu3.eshore.cn at '/etc/puppetlabs/puppet/ssl/ca/requests/cu3.eshore.cn.pem'


# 最终效果
[root@cu2 puppet]# puppet cert list -all
+ "cu1.eshore.cn" (SHA256) 46:69:EE:A8:E5:F9:FB:E3:59:63:C5:FC:52:AF:14:43:70:EF:D0:42:70:C4:0E:D2:14:E4:1C:D9:94:F8:9E:E7
+ "cu2.eshore.cn" (SHA256) 3D:8E:4E:18:45:F4:8C:9B:71:7C:13:45:0D:8A:6F:A5:6E:22:D5:0E:B1:B0:54:29:47:02:AE:95:8B:E6:A6:B7 (alt names: "DNS:puppet", "DNS:cu2.eshore.cn")
+ "cu3.eshore.cn" (SHA256) 58:ED:A3:CC:B9:53:34:4B:64:3C:2A:B4:91:AD:0D:8F:AF:EA:B0:5C:A7:73:06:F1:A7:4B:D2:E2:06:B5:21:39
+ "cu4.eshore.cn" (SHA256) DD:A2:B9:86:53:29:DB:12:A3:0C:AA:9C:11:68:72:70:72:E2:16:36:8E:20:AC:E5:48:12:36:E2:80:6C:F0:E6
+ "cu5.eshore.cn" (SHA256) EE:E6:FB:D2:1A:04:AD:C3:5B:1F:4F:79:C3:B6:36:15:B5:AC:8B:8B:5D:CB:A4:AA:AF:7B:FB:50:0B:83:7E:38

自动签名配置文件

反正都是学习,在无尽的折腾成长。如果是生产环境最好不要清理服务端的已签名证书,不但客户端要重新签,如果安装了puppetdb等其他程序需要签名都得重新配置签名。

注意: 如果已经安装官网的步骤安装 PuppetDB ,清理服务端的证书建议通过命令 puppet cert clean DOMAIN 来清理。否则 PuppetDB 中还有对应的证书缓存信息。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# https://tickets.puppetlabs.com/browse/PUP-1426
# 貌似不支持全部清除已签名证书
[root@cu2 ~]# puppet cert clean --all 
Error: Refusing to revoke all certs, provide an explicit list of certs to revoke

# 直接删掉ssl目录
[root@cu2 ~]# puppet master --configprint ssldir
/etc/puppetlabs/puppet/ssl

[root@cu2 ~]# cd /etc/puppetlabs/puppet
[root@cu2 puppet]# ll
...
drwxrwx--x 8 puppet puppet 4096 Apr 20 15:10 ssl

# 注意ssl目录的权限。这里仅删除目录里面的文件
[root@cu2 puppet]# service puppetserver stop
Stopping puppetserver:                                     [  OK  ]
[root@cu2 puppet]# 
[root@cu2 puppet]# rm -rf ssl/*


# 先启动服务看看原来已签名的再连服务器是什么情况
[root@cu2 puppet]# service puppetserver start
Starting puppetserver:                                     [  OK  ]

[root@cu2 puppet]# tree ssl/
ssl/
├── ca
│   ├── ca_crl.pem
│   ├── ca_crt.pem
│   ├── ca_key.pem
│   ├── ca_pub.pem
│   ├── inventory.txt
│   ├── requests
│   ├── serial
│   └── signed
│       └── cu2.eshore.cn.pem
├── certificate_requests
├── certs
│   ├── ca.pem
│   └── cu2.eshore.cn.pem
├── crl.pem
├── private
├── private_keys
│   └── cu2.eshore.cn.pem
└── public_keys
    └── cu2.eshore.cn.pem


# agent 再请求,会报错。删除 ssl 后,再签名
[root@cu3 ~]# puppet agent --server cu2.eshore.cn --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.eshore.cn]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.eshore.cn]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.eshore.cn]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.eshore.cn]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.eshore.cn]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.eshore.cn]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cu2.eshore.cn]

[root@cu3 ~]# puppet agent --configprint ssldir
/etc/puppetlabs/puppet/ssl
[root@cu3 ~]# cd /etc/puppetlabs/puppet
[root@cu3 puppet]# rm -rf ssl/*
[root@cu3 puppet]# puppet agent --server cu2.eshore.cn --test
Info: Creating a new SSL key for cu3.eshore.cn
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for cu3.eshore.cn
Info: Certificate Request fingerprint (SHA256): 9D:58:14:C0:CA:DD:51:77:0B:3F:EB:09:02:9B:D6:67:04:FD:48:7A:6E:CB:83:43:8D:5B:A9:78:0C:89:90:5B
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

[root@cu2 puppet]# puppet cert list -all
  "cu3.eshore.cn" (SHA256) 9D:58:14:C0:CA:DD:51:77:0B:3F:EB:09:02:9B:D6:67:04:FD:48:7A:6E:CB:83:43:8D:5B:A9:78:0C:89:90:5B
+ "cu2.eshore.cn" (SHA256) BA:C4:C9:CC:92:6E:45:2E:B1:7F:BC:15:49:0A:2C:BB:5F:C6:B0:73:EB:6C:21:EA:C8:A6:DD:2D:FE:DF:67:70 (alt names: "DNS:puppet", "DNS:cu2.eshore.cn")
[root@cu2 puppet]# puppet cert sign --all
Notice: Signed certificate request for cu3.eshore.cn
Notice: Removing file Puppet::SSL::CertificateRequest cu3.eshore.cn at '/etc/puppetlabs/puppet/ssl/ca/requests/cu3.eshore.cn.pem'

[root@cu3 puppet]# puppet agent --server cu2.eshore.cn --test
Info: Caching certificate for cu3.eshore.cn
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for cu3.eshore.cn
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for cu3.eshore.cn
Info: Applying configuration version '1461205206'
Notice: Applied catalog in 0.01 seconds


# 配置autosign
# https://docs.puppet.com/puppet/4.4/reference/ssl_autosign.html
# 在CA的服务器配置的master节点下配置autosign: Naïve Autosigning
[root@cu2 puppet]# vi puppet.conf 
...
autosign = true
# 或者添加配置文件: Basic Autosigning (autosign.conf)
[root@cu2 puppet]# vi autosign.conf
*.eshore.cn

[root@cu2 puppet]# service puppetserver restart
Stopping puppetserver:                                     [  OK  ]
Starting puppetserver:                                     [  OK  ]


# agent 自动重新签名
[root@cu1 ~]# cd /etc/puppetlabs/puppet/
[root@cu1 puppet]# rm -rf ssl/*
[root@cu1 puppet]# 
[root@cu1 puppet]# puppet agent --server cu2.eshore.cn --test
Info: Creating a new SSL key for cu1.eshore.cn
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for cu1.eshore.cn
Info: Certificate Request fingerprint (SHA256): D1:F5:6D:A4:91:57:DF:92:47:98:B7:C6:78:E5:C5:E0:AA:DA:70:90:0D:68:48:09:81:FA:65:98:02:F0:84:A9
Info: Caching certificate for cu1.eshore.cn
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for cu1.eshore.cn
Info: Applying configuration version '1461205750'
Notice: Applied catalog in 0.02 seconds

[root@cu2 puppet]# puppet cert list -all
+ "cu1.eshore.cn" (SHA256) F9:48:1D:85:A7:44:78:71:AA:44:02:3F:98:20:DB:20:B1:DA:10:EC:3A:6A:AE:85:D4:37:EC:9E:20:AB:84:AA
+ "cu2.eshore.cn" (SHA256) BA:C4:C9:CC:92:6E:45:2E:B1:7F:BC:15:49:0A:2C:BB:5F:C6:B0:73:EB:6C:21:EA:C8:A6:DD:2D:FE:DF:67:70 (alt names: "DNS:puppet", "DNS:cu2.eshore.cn")
+ "cu3.eshore.cn" (SHA256) BA:00:57:50:1D:91:40:0D:7D:E4:C5:99:6F:3F:77:D6:E8:C4:71:5B:8D:8C:AB:FA:D0:D4:5C:36:5D:AB:A7:1B
+ "cu4.eshore.cn" (SHA256) 96:64:4A:73:EC:D7:A6:0D:73:37:82:33:2D:0D:B3:BF:A6:A8:6B:9B:D4:05:D0:2C:46:3B:E2:22:6E:43:39:91
+ "cu5.eshore.cn" (SHA256) 54:48:34:BF:C9:60:8C:4C:D2:9D:C9:A3:52:2E:EB:29:AC:2E:84:2E:9E:34:F1:A3:30:83:46:0E:BF:A9:5D:9A

autosign 除了使用 autosign.conf 配置,还可以使用 shell/命令 来进行适配,具体查看官网文档: https://docs.puppet.com/puppet/4.4/reference/ssl_autosign.html

agent执行同步命令每次都要指定server很麻烦,可以修改 puppet.conf 配置,每次执行是从配置文件读取:

1
2
3
4
5
[root@cu2 plugins]# vi /etc/puppetlabs/puppet/puppet.conf 
...
[agent]
server = cu2.eshore.cn
certname = cu2.eshore.cn  # 主机名不确定情况下,可以通过这个来指定当前机器的主机名!!每台机器根据主机单独设置!

命令合集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
puppet agent --server cu2.eshore.cn --test

puppet cert list -all

puppet node clean cu1.ds.ctyun 
puppet cert clean cu2.ds.ctyun
puppet certificate_request destroy cu1.ds.ctyun

puppet cert sign cu1.eshore.cn
puppet cert sign --all

puppet config print certname
puppet master --configprint ssldir
puppet agent --configprint ssldir

–END

Comments