- Puppet 5 Essentials(Third Edition)
- Martin Alfke Felix Frank
- 342字
- 2021-07-02 18:22:26
Renewing an agent's certificate
Sometimes, it is necessary during an agent machine's life cycle to regenerate its certificate and related data. The reasons for this can include data loss, human error, or certificate expiration, among others. The regeneration is achieved through the following steps:
- Performing the regeneration is quite simple: all relevant files are kept at /etc/puppetlabs/puppet/ssl (for Puppet 3.x, this is /var/lib/puppet/ssl) on the agent machine.
- Once these files are removed (or rather, the whole ssl/ directory tree), Puppet will renew everything on the next agent run. Of course, a new certificate must be signed. This requires some preparation; just initiating the request from the agent will fail:
root@agent# puppet agent –test
Info: Creating a new SSL key for agent
Info: Caching certificate for ca
Info: Caching certificate for agent.example.net
Error: Could not request certificate: The certificate retrievedfrom the master does not match the agent's private key.
Certificate fingerprint: 6A:9F:12:C8:75:C0:B6:10:45:ED:C3:97:24:CC:98:F2:B6:1A:B5: 4C:E3:98:96:4F:DA:CD:5B:59:E0:7F:F5:E6
The master still has the old certificate cached. This is a simple protection against the impersonation of your agents by unauthorized entities.
- To fix this, remove the certificate from both the master and the agent and then start a Puppet run, which will automatically regenerate a certificate:
- On the master, use the following:
puppet cert clean agent.example.net
-
- On the agent, use the following:
- On most platforms, use the following:
find /etc/puppetlabs/puppet/ssl -name agent.example.net.pem –delete
-
- On Windows, use the following:
del "/etc/puppetlabs/puppet/ssl/agent.example.net.pem" /f
puppet agent –t
Exiting; failed to retrieve certificate and waitforcert is disabled
- Once you perform the cleanup operation on the master, as advised in the preceding output, and remove the indicated file from the agent machine, the agent will be able to successfully place its new CSR:
root@puppetmaster# puppet cert clean agent
Notice: Revoked certificate with serial 18
Notice: Removing file Puppet::SSL::Certificate agent at '/etc/puppetlabs/ puppet/ssl/ca/signed/agent.pem'
Notice: Removing file Puppet::SSL::Certificate agent at '/etc/puppetlabs/ puppet/ssl/certs/agent.pem'
The rest of the process is identical to the original certificate creation. The agent uploads its CSR to the master, where the certificate is created through the puppet cert sign command.
推薦閱讀
- Advanced Splunk
- Design Principles for Process:driven Architectures Using Oracle BPM and SOA Suite 12c
- LabVIEW 2018 虛擬儀器程序設(shè)計(jì)
- Beginning C++ Game Programming
- Spring技術(shù)內(nèi)幕:深入解析Spring架構(gòu)與設(shè)計(jì)
- 三維圖形化C++趣味編程
- Python Tools for Visual Studio
- PHP+MySQL網(wǎng)站開(kāi)發(fā)項(xiàng)目式教程
- C#實(shí)踐教程(第2版)
- 蘋(píng)果的產(chǎn)品設(shè)計(jì)之道:創(chuàng)建優(yōu)秀產(chǎn)品、服務(wù)和用戶體驗(yàn)的七個(gè)原則
- Android Wear Projects
- Python從入門(mén)到精通
- Raspberry Pi Robotic Blueprints
- MySQL程序員面試筆試寶典
- Clojure for Java Developers