Puppet cert命令參數介紹(四)
阿新 • • 發佈:2017-09-08
puppet cert 命令
puppet cert是管理Puppet證書簽名的命令,在agent訪問master時使用的是SSL安全套接字,優點是加密雙方的通信數據,從而保證信息安全.puppet cert命令可以實現對證書的管理、授權、回收、顯示和產生簽名文件.
1、查看puppet cert幫助信息:(幫助文檔註釋過多,只截取參數部分)
[[email protected] ~]# puppet cert -h
* clean: #--clean清理Master主機上存儲的所有相關證書文件.
Revoke a host‘s certificate (if applicable) and remove all files
related to that host from puppet cert‘s storage. This is useful when
rebuilding hosts, since new certificate signing requests will only be
honored if puppet cert does not have a copy of a signed certificate
for that host. If ‘--all‘ is specified then all host certificates,
both signed and unsigned, will be removed.
* fingerprint: #打印證書的算法.
Print the DIGEST (defaults to the signing algorithm) fingerprint of a
host‘s certificate.
* generate: #為指定的agent client域名簽發一個證書文件.
Generate a certificate for a named client. A certificate/keypair will
be generated for each client named on the command line.
* list: #在Master上可以列出目前Agent機器等待簽發證書的信息.
List outstanding certificate requests. If ‘--all‘ is specified, signed
certificates are also listed, prefixed by ‘+‘, and revoked or invalid
certificates are prefixed by ‘-‘ (the verification outcome is printed
in parenthesis).
* print: #打印證書的版本信息
Print the full-text version of a host‘s certificate.
* revoke: #回收指定的Agent證書.
Revoke the certificate of a client. The certificate can be specified either
by its serial number (given as a hexadecimal number prefixed by ‘0x‘) or by its
hostname. The certificate is revoked by adding it to the Certificate Revocation
List given by the ‘cacrl‘ configuration option. Note that the puppet master
needs to be restarted after revoking certificates.
* sign: #簽署待認證的證書請求.
Sign an outstanding certificate request.
* verify: #確認證書是否由本地CA簽發.
Verify the named certificate against the local CA certificate.
* reinventory:
Build an inventory of the issued certificates. This will destroy the current
inventory file specified by ‘cert_inventory‘ and recreate it from the
certificates found in the ‘certdir‘. Ensure the puppet master is stopped
before running this action.
OPTIONS(命令參數的子選項)
-------
Note that any setting that‘s valid in the configuration
file is also a valid long argument. For example, ‘ssldir‘ is a valid
setting, so you can specify ‘--ssldir <directory>‘ as an
argument.
See the configuration file documentation at
http://docs.puppetlabs.com/references/stable/configuration.html for the
full list of acceptable parameters. A commented list of all
configuration options can also be generated by running puppet cert with
‘--genconfig‘.
* --all: #所有.可以使用在‘sign‘,‘clean‘, ‘list‘,and ‘fingerprint‘。
Operate on all items. Currently only makes sense with the ‘sign‘,
‘clean‘, ‘list‘, and ‘fingerprint‘ actions.
* --digest: #設置指紋提取的摘要(默認為使用的摘要簽署的證書)有效值為你的openssl和openssl ruby擴展版本.
Set the digest for fingerprinting (defaults to the digest used when
signing the cert). Valid values depends on your openssl and openssl ruby
extension version.
* --debug: #調試模式
Enable full debugging.
* --help:
Print this help message
* --verbose:
Enable verbosity.
* --version:
Print the puppet version number and exit.
EXAMPLE
-------
$ puppet cert list
culain.madstop.com
$ puppet cert sign culain.madstop.com2、舉例演示:
後續演示依舊使用下面三臺機器,直到寫完puppet文章.
192.168.30.134 puppet
192.168.30.131 sh-web1
192.168.30.132 sh-proxy2
問題:Master上沒有autosign.conf文件,需要手動簽署認證,怎麽操作或者說這臺服務器下架,格式化完做別的用途,證書信息怎麽處理?
1、Master上去掉autosign.conf文件.(windows svn客戶端本地修改就行.)
2、重啟puppetmaster 查看證書.(已經簽署的證書,取消autosign.conf並沒有影響.)
[[email protected] puppet]# /etc/init.d/puppetmaster reload Stopping puppetmaster: [ OK ] Starting puppetmaster: [ OK ] [[email protected] puppet]# puppet cert list --all + "puppet" (SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "puppet.localdomain" (SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "sh-proxy2.localdomain" (SHA256) 75:85:8E:AB:74:8A:D6:8E:0B:3A:87:33:2B:BA:60:D2:81:0A:23:5F:73:A4:90:AC:8B:34:DC:A4:F3:00:41:39 + "sh-web1.localdomain" (SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B
3、刪除Master端sh-proxy2的證書認證文件.
--revoke讓證書過期(默認證書過期時間5年,這個時間資料寫的,我沒確認過.),先讓證書過期,然後再清理.
[[email protected] puppet]# puppet cert --revoke sh-proxy2.localdomain Notice: Revoked certificate with serial 5 [[email protected] puppet]# puppet cert list --all + "puppet" (SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "puppet.localdomain" (SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "sh-web1.localdomain" (SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B - "sh-proxy2.localdomain" (SHA256) 75:85:8E:AB:74:8A:D6:8E:0B:3A:87:33:2B:BA:60:D2:81:0A:23:5F:73:A4:90:AC:8B:34:DC:A4:F3:00:41:39 (certificate revoked) --clean清理掉sh-proxy2.localdomain的證書. [[email protected] puppet]# puppet cert --clean sh-proxy2.localdomain Notice: Revoked certificate with serial 5 Notice: Removing file Puppet::SSL::Certificate sh-proxy2.localdomain at ‘/var/lib/puppet/ssl/ca/signed/sh-proxy2.localdomain.pem‘ Notice: Removing file Puppet::SSL::Certificate sh-proxy2.localdomain at ‘/var/lib/puppet/ssl/certs/sh-proxy2.localdomain.pem‘ [[email protected]uppet puppet]# puppet cert list --all + "puppet" (SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "puppet.localdomain" (SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "sh-web1.localdomain" (SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B
4、清理完puppetmaster需要重新啟動下master.
[[email protected] puppet]# /etc/init.d/puppetmaster reload Stopping puppetmaster: [ OK ] Starting puppetmaster: [ OK ] [[email protected] puppet]# puppet cert list --all + "puppet" (SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "puppet.localdomain" (SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "sh-web1.localdomain" (SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B
5、刪除掉sh-proxy2上的證書認證信息:
[[email protected] puppet]# find ./ -type f -name "sh-proxy2.localdomain*" -exec mv {} /tmp/ \;
[[email protected] puppet]# find ./ -type f -name "sh-proxy2.localdomain*"
[[email protected] puppet]# ls /tmp/
sh-proxy2.localdomain.json sh-proxy2.localdomain.pem yum.log
6、重啟啟動puppet agent服務,證書會自動重新生成.
[[email protected] puppet]# /etc/init.d/puppet restart Stopping puppet agent: [ OK ] Starting puppet agent: [ OK ] [[email protected] puppet]# find ./ -type f -name "sh-proxy2.localdomain*" ./ssl/public_keys/sh-proxy2.localdomain.pem ./ssl/private_keys/sh-proxy2.localdomain.pem ./ssl/certificate_requests/sh-proxy2.localdomain.pem
7、在puppet master上查看證書:(+代表已經簽署認證的,沒‘+‘代表未簽署.)
[[email protected] puppet]# puppet cert list --all "sh-proxy2.localdomain" (SHA256) A6:80:BF:8F:07:0C:CB:F1:47:8C:B3:08:B8:A7:FB:A3:E8:E2:D3:7A:CE:3F:0C:E3:66:77:E8:06:18:36:82:0C + "puppet" (SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "puppet.localdomain" (SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "sh-web1.localdomain" (SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B
8、手動簽署證書.(當然為了省事也可以puppet cert sign --all簽署所有待認證的.)
[[email protected] puppet]# puppet cert sign sh-proxy2.localdomain Notice: Signed certificate request for sh-proxy2.localdomain Notice: Removing file Puppet::SSL::CertificateRequest sh-proxy2.localdomain at ‘/var/lib/puppet/ssl/ca/requests/sh-proxy2.localdomain.pem‘ [[email protected] puppet]# puppet cert list --all + "puppet" (SHA256) FF:75:FE:B7:8E:E5:46:4A:4A:AB:2F:8D:C4:B0:C6:43:95:47:74:0C:3E:3F:38:1E:1B:88:4C:45:66:23:78:3E (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "puppet.localdomain" (SHA256) BA:F6:11:67:10:1D:93:1D:43:8C:1D:42:C8:EB:8F:6A:F1:25:FE:38:35:CB:17:7A:6D:59:99:34:05:CF:E1:FC (alt names: "DNS:puppet", "DNS:puppet.localdomain") + "sh-proxy2.localdomain" (SHA256) 6A:48:D0:4A:F3:4B:45:CE:D9:90:B1:FE:AA:91:6F:CB:06:50:17:BF:D1:D4:CE:1D:41:D2:9E:B5:24:AB:52:3A + "sh-web1.localdomain" (SHA256) B9:31:9C:62:94:70:4A:DD:E3:35:0F:3F:14:BB:7A:C7:AE:BE:F9:24:BC:C9:92:ED:DB:1F:8C:95:65:09:97:5B
9、agent客戶端測試:
[[email protected] ~]# puppet agent -t Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for sh-proxy2.localdomain Info: Applying configuration version ‘1504752428‘ Notice: Finished catalog run in 0.01 seconds
註意:puppet cert list 查看的只是master端待認證的agent端證書,使用--all可以查看未認證和認證的agent證書請求,‘+‘區分二者.
本文出自 “螞蟻” 博客,請務必保留此出處http://215687833.blog.51cto.com/6724358/1963453
Puppet cert命令參數介紹(四)