工作中常遇到puppet服务端/客户端证书认证异常,需要重新生成证书。常见操作会删除服务端/客户端证上相关的老证书,然后生成新证书。针对这种情况,编写了一个shell脚本,只需将此脚本在Client端定时运行即可。由于脚本中涉及到了明文密码,为了提高安全性,可以考虑对此脚本进行加密(可参考: http://lxsym.blog.51cto.com/1364623/768286 )
#!/bin/bash
# 对客户端异常重新颁布puppet证书
# 2012/05/30 Richard Shen
SIP="192.168.11.6"    #server端ip
SPASSWD="hello"     #server端root密码,
host=`hostname`        
s_dns=".dns.abc.com.pem"  #内部DNS解析Host-IP对应,根据实际情况而定
s_ca_name="$host$s_dns"     #$host在server端的证书文件
R_NUM=`/usr/sbin/puppetd --test --server pup-ser-01.dns.abc.com | grep "notice: Finished" | wc -l`
[ ! -f /usr/bin/nc ] && yum -y install nc 
[ ! -f /usr/bin/expect ] && yum -y install expect
#LOGIN PUPPET SERVER
auto_smart_ssh () {
   expect -c "set timeout -1;
       spawn ssh -o StrictHostKeyChecking=no $2 ${@:3};
                expect {
                        *assword:* {send -- $1\r;
                        expect {
                            *denied* {exit 2;}
                            eof
                               }
                        }
                 eof     {exit 1;}
                 }
                "
#   return $?
}
#判断正常与否,进行2次
i=0
while [[ $i -lt 2 ]]
do
   if [ $R_NUM -ne 1 ];then
      rm -rf /var/lib/puppet/ssl/*
      auto_smart_ssh $SPASSWD root@$SIP rm -rf /var/lib/puppet/ssl/ca/signed/$s_ca_name
      /usr/sbin/puppetd --test --server pup-ser-01.dns.abc.com
    else
      echo "$host puppet client is ok"
  
  fi  
let i=i+1
done
分享快乐,若大家有什么好的想法,可以交流一下~欢迎转载 - -