# 在机器A 上认证 ca-1
# 补充: master-1 的IP就是 192.168.1.100
# 补充: ca-1 作为agent 连接master-1, 需要配置 /etc/hosts 和 /etc/puppet/puppet.conf
root@ca-1:/var/lib/puppet# puppet agent --test --server=192.168.1.100
Info: Creating a new SSL key for ca-1.puppet.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for ca-1.puppet.com
Info: Certificate Request fingerprint (SHA256): C3:CD:C6:8E:34:22:40:8D:32:00:1B:E5:54:E2:C1:C7:96:79:BF:B0:1A:A8:FD:11:B4:32:D6:4F:AE:54:AB:94
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
root@ca-1:/var/lib/puppet# puppet agent --test
Info: Caching certificate for ca-1.puppet.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca-1.puppet.com
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for ca-1.puppet.com
Info: Applying configuration version '1420697839'
Notice: Finished catalog run in 0.01 seconds
sent 10898 bytes received 218 bytes 1170.11 bytes/sec
total>
# 修改 ca-1 上默认的 puppetmaster 配置
root@ca-1:~# cat /etc/apache2/sites-available/puppetmaster
# This Apache 2 virtual host config shows how to use Puppet as a Rack
# application via Passenger. See
# http://docs.puppetlabs.com/guides/passenger.html for more information.
# You can also use the included config.ru file to run Puppet with other Rack
# servers instead of Passenger.
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
SSLHonorCipherOrder on
SSLCertificateFile /var/lib/puppet/ssl/certs/ca-1.puppet.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/ca-1.puppet.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking; if you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
# SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
#!!! RequestHeader 相关内容都要注释掉
#RequestHeader unset X-Forwarded-For
#RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e