官术网_书友最值得收藏!

Renewing an agent's certificate

Sometimes, it is necessary during an agent machine's life cycle to regenerate its certificate and related data. The reasons for this can include data loss, human error, or certificate expiration, among others. The regeneration is achieved through the following steps:

  1. Performing the regeneration is quite simple: all relevant files are kept at /etc/puppetlabs/puppet/ssl (for Puppet 3.x, this is /var/lib/puppet/ssl) on the agent machine.
  2. Once these files are removed (or rather, the whole ssl/ directory tree), Puppet will renew everything on the next agent run. Of course, a new certificate must be signed. This requires some preparation; just initiating the request from the agent will fail:
root@agent# puppet agent –test
Info: Creating a new SSL key for agent
Info: Caching certificate for ca
Info: Caching certificate for agent.example.net
Error: Could not request certificate: The certificate retrievedfrom the master does not match the agent's private key.
Certificate fingerprint: 6A:9F:12:C8:75:C0:B6:10:45:ED:C3:97:24:CC:98:F2:B6:1A:B5: 4C:E3:98:96:4F:DA:CD:5B:59:E0:7F:F5:E6

The master still has the old certificate cached. This is a simple protection against the impersonation of your agents by unauthorized entities.

  1. To fix this, remove the certificate from both the master and the agent and then start a Puppet run, which will automatically regenerate a certificate:
    • On the master, use the following:
         puppet cert clean agent.example.net
    • On the agent, use the following:
    • On most platforms, use the following:
find /etc/puppetlabs/puppet/ssl -name agent.example.net.pem –delete
    • On Windows, use the following:
del "/etc/puppetlabs/puppet/ssl/agent.example.net.pem" /f
puppet agent –t
Exiting; failed to retrieve certificate and waitforcert is disabled
  1. Once you perform the cleanup operation on the master, as advised in the preceding output, and remove the indicated file from the agent machine, the agent will be able to successfully place its new CSR:
root@puppetmaster# puppet cert clean agent
Notice: Revoked certificate with serial 18
Notice: Removing file Puppet::SSL::Certificate agent at '/etc/puppetlabs/ puppet/ssl/ca/signed/agent.pem'
Notice: Removing file Puppet::SSL::Certificate agent at '/etc/puppetlabs/ puppet/ssl/certs/agent.pem'

The rest of the process is identical to the original certificate creation. The agent uploads its CSR to the master, where the certificate is created through the puppet cert sign command.

主站蜘蛛池模板: 平凉市| 上蔡县| 梁山县| 鹰潭市| 台南市| 兴业县| 雷山县| 东港市| 江安县| 河北区| 巴彦县| 淮滨县| 赤壁市| 沅江市| 綦江县| 马关县| 陆良县| 重庆市| 台中县| 庆阳市| 双桥区| 新乡县| 闽清县| 双鸭山市| 双城市| 玛多县| 盐池县| 房产| 应用必备| 宣威市| 枞阳县| 阿合奇县| 康马县| 潢川县| 达尔| 博爱县| 龙泉市| 象山县| 尉犁县| 德州市| 玛纳斯县|