puppet 配置证书

1.服务端查看有哪些客户端证书

# puppet cert list  (--all)

"slave-puppet" (SHA256) A0:BE:9F:85:2F:67:2A:1D:94:D2:A4:4C:8F:2F:6D:2A:C4:F2:33:B4:18:66:1C:6A:D6:AC:10:92:50:4D:A2:D2

2.让客户端生成 ssl 证书（服务端运行）

生产证书：

# puppet agent --test --server master.zjcap.cn

# puppet cert list --all  (其中签名成功的前面会出现 +)

  "slave-puppet" (SHA256) A0:BE:9F:85:2F:67:2A:1D:94:D2:A4:4C:8F:2F:6D:2A:C4:F2:33:B4:18:66:1C:6A:D6:AC:10:92:50:4D:A2:D2

+ "master"       (SHA256) 1D:A2:B7:1B:F1:87:BE:82:F6:5C:02:F2:81:C6:0E:3F:E4:3F:9D:5D:97:56:86:14:E5:02:86:C0:39:15:FC:AF

签名认证：

# puppet cert --sign master

#  puppet cert list --all

+ "master"       (SHA256) 1D:A2:B7:1B:F1:87:BE:82:F6:5C:02:F2:81:C6:0E:3F:E4:3F:9D:5D:97:56:86:14:E5:02:86:C0:39:15:FC:AF

+ "slave-puppet" (SHA256) 89:AF:41:52:4B:22:C7:34:F6:D8:81:1A:8B:7A:1E:F2:D2:07:C5:83:1E:F9:FD:29:3B:7C:14:07:92:BE:5B:61

删除 某个签名：

# puppet clean (master | --all)

如果把客户端的证书 clean ， 想重新添加证书 :

1）、将客户端旧的证书情况： #  rm -rf /var/lib/puppet/ssl/*

2）、重启客户端 puppet： # service puppet restart

3.puppet 配置自动签发证书

1）、服务端删除 客户端证书 # puppet cert clean slave-puppet

2）、把客户端 ssl 相关文件删除 # rm -rf /var/lib/puppet/ssl/*

3）、 服务端：

     # vim /etc/puppet/autosign.conf

*.zjcap.cn

     # vim /etc/puppet/puppet.conf

[main] 添加

         autosign = true

4）、重启服务端跟客户端 puppet

4.测试证书

1）、服务端编辑配置文件

# vim /etc/puppet/manifests/site.pp

node default {

    file {"/tmp/123.txt": content =>"test,test"; }

}

创建 /tmp/123.txt 文件，内容为 test,test

报错：  Could not retrieve catalog from remote server: Server hostname 'master.zjcap.cn' did not match server certificate; expected master

Mar  8 17:38:53 slave-puppet puppet-agent[14864]: Using cached catalog

Mar  8 17:38:53 slave-puppet puppet-agent[14864]: Could not retrieve catalog; skipping run

Mar  8 17:38:54 slave-puppet puppet-agent[14864]: Could not send report: Server hostname 'master.zjcap.cn' did not match server certificate; expected master

Mar  8 17:38:57 slave-puppet puppet-agent[15008]: Unable to fetch my node definition, but the agent run will continue:

Mar  8 17:38:57 slave-puppet puppet-agent[15008]: Server hostname 'master.zjcap.cn' did not match server certificate; expected master

解决：设置 master 跟 client 的 /etc/hosts 跟 /etc/sysconfig/network 的值一致