客户端:
客户端发送请求证书
- [root@web01 puppet-2.7.21]# puppetd --test --server Centos-server
- err: Could not retrieve catalog from remote server: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: centos-server] 报错
- [root@web01 puppet-2.7.21]# rm -rf /var/lib/puppet/ssl/
- [root@web01 puppet-2.7.21]# puppetd --test --server Centos-server
- info: Creating a new SSL key for web01.localdomain
- info: Caching certificate for ca
- info: Creating a new SSL certificate request for web01.localdomain
- info: Certificate Request fingerprint (md5): 93:00:78:65:06:C4:A7:60:46:2D:AF:49:A7:43:DA:81
- Exiting; no certificate found and waitforcert is disabled
验证证书
- [root@web01 ~]# md5sum /var/lib/puppet/ssl/certs/web01.localdomain.pem
- 3e3caddfa5f7a48e9b94a8c536f2ecdc /var/lib/puppet/ssl/certs/web01.localdomain.pem
服务器端:
查看当前待批准证书列表
- [root@Centos-server ~]# puppetca -l
- "web01.localdomain" (93:00:78:65:06:C4:A7:60:46:2D:AF:49:A7:43:DA:81)
批准当前证书
- [root@Centos-server ~]# puppetca -s web01.localdomain
- notice: Signed certificate request for web01.localdomain
- notice: Removing file Puppet::SSL::CertificateRequest web01.localdomain at '/var/lib/puppet/ssl/ca/requests/web01.localdomain.pem'
查看验证签名,注意前面的+号,说明已经签名
- [root@Centos-server ~]# puppetca -a --list
- + "centos-server" (67:FB:EB:79:FC:9A:F8:FC:37:EB:4B:07:8B:91:D4:14)
- + "centos-server.localdomain" (8B:60:F1:FF:7A:17:B0:66:88:72:F8:B5:C0:97:FF:5A) (alt names: "DNS:Centos-server.localdomain", "DNS:centos-server.localdomain", "DNS:puppet", "DNS:puppet.localdomain")
- + "web01.localdomain" (E4:89:58:EE:2F:95:58:34:4A:6F:2D:73:1A:DC:35:A7)
- [root@Centos-server ~]# puppetca -s -a //对所有客户端全部签名
puppet 如何全客户端自动签名
- [root@Centos-server ~]# vim /etc/puppet/puppet.conf
- autosign = true 服务端就自动签证书
- autosing=/etc/puppet/autosign.conf
- [root@Centos-server manifests]# vim /etc/puppet/autosign.conf
- 172.16.10.0/24
其中添加 * 表示所有,或者添加域名,IP或者网段
*
*.test.com
192.168.0.1/24
- [root@Centos-server ~]# /etc/init.d/puppetmaster restart
- Stopping puppetmaster: [ OK ]
- Starting puppetmaster: [ OK ]
验证证书
- [root@Centos-server ~]# md5sum /var/lib/puppet/ssl/ca/signed/web01.localdomain.pem
- 3e3caddfa5f7a48e9b94a8c536f2ecdc /var/lib/puppet/ssl/ca/signed/web01.localdomain.pem
转载于:https://blog.51cto.com/nowsafe/1190413