夜勿眠 发表于 2018-8-3 07:02:41

自动化运维之 - puppet server端与client端结合

  客户端:
  客户端发送请求证书
  


[*]# puppetd --test --server Centos-server
[*]
[*]err: Could not retrieve catalog from remote server: certificate verify failed: 报错
[*]
[*]
[*]
[*]# rm -rf /var/lib/puppet/ssl/
[*]
[*]# puppetd --test --server Centos-server
[*]
[*]info: Creating a new SSL key for web01.localdomain
[*]
[*]info: Caching certificate for ca
[*]
[*]info: Creating a new SSL certificate request for web01.localdomain
[*]
[*]info: Certificate Request fingerprint (md5): 93:00:78:65:06:C4:A7:60:46:2D:AF:49:A7:43:DA:81
[*]
[*]Exiting; no certificate found and waitforcert is disabled
  

  验证证书
  


[*]# md5sum /var/lib/puppet/ssl/certs/web01.localdomain.pem
[*]
[*]3e3caddfa5f7a48e9b94a8c536f2ecdc/var/lib/puppet/ssl/certs/web01.localdomain.pem
  

  服务器端:
  查看当前待批准证书列表
  


[*]# puppetca -l
[*]
[*]"web01.localdomain" (93:00:78:65:06:C4:A7:60:46:2D:AF:49:A7:43:DA:81)
  

  批准当前证书
  


[*]# puppetca -s web01.localdomain
[*]
[*]notice: Signed certificate request for web01.localdomain
[*]
[*]notice: Removing file Puppet::SSL::CertificateRequest web01.localdomain at '/var/lib/puppet/ssl/ca/requests/web01.localdomain.pem'
  

  查看验证签名,注意前面的+号,说明已经签名
  


[*]# puppetca -a --list
[*]
[*]+ "centos-server"             (67:FB:EB:79:FC:9A:F8:FC:37:EB:4B:07:8B:91:D4:14)
[*]
[*]+ "centos-server.localdomain" (8B:60:F1:FF:7A:17:B0:66:88:72:F8:B5:C0:97:FF:5A) (alt names: "DNS:Centos-server.localdomain", "DNS:centos-server.localdomain", "DNS:puppet", "DNS:puppet.localdomain")
[*]
[*]+ "web01.localdomain"         (E4:89:58:EE:2F:95:58:34:4A:6F:2D:73:1A:DC:35:A7)
[*]
[*]
[*]
[*]
[*]
[*]# puppetca -s -a   //对所有客户端全部签名
  

  puppet 如何全客户端自动签名
  


[*]# vim /etc/puppet/puppet.conf
[*]
[*]    autosign = true                                       服务端就自动签证书
[*]
[*]    autosing=/etc/puppet/autosign.conf
[*]
[*]# vim /etc/puppet/autosign.conf
[*]
[*]172.16.10.0/24
  

  其中添加 * 表示所有,或者添加域名,IP或者网段
  *
  *.test.com
  192.168.0.1/24
  


[*]# /etc/init.d/puppetmaster restart
[*]
[*]Stopping puppetmaster:                                    
[*]
[*]Starting puppetmaster:                                    
  

  验证证书
  


[*]# md5sum /var/lib/puppet/ssl/ca/signed/web01.localdomain.pem
[*]
[*]3e3caddfa5f7a48e9b94a8c536f2ecdc/var/lib/puppet/ssl/ca/signed/web01.localdomain.pem
  
页: [1]
查看完整版本: 自动化运维之 - puppet server端与client端结合